The General Data Protection Regulation (GDPR) has now come into effect and with it comes new and more onerous reporting and record-keeping requirements in relation to data breaches.
Even with the best technical and security measures in place, the reality is that organisations and the people within them are fallible. Therefore, data breaches can and will occur. We have produced a five step guide on how to best address this eventuality.
Step 1: Recognising a data breach
It is vital that staff are trained to recognise a data breach so that they can, in turn, promptly take steps to address it. There will be a data breach whenever personal data is lost, destroyed, corrupted, altered, disclosed or accessed without proper authorisation. This includes breaches that are the result of both accidental and deliberate causes. Some examples of data breaches include:
- Access by an unauthorised third party;
- Sending personal data to an incorrect recipient;
- Computing devices containing personal data being lost or stolen;
- Alteration of personal data without permission; and
- Loss of availability of personal data.
Step 2: Containing a data breach
On becoming aware of a breach, staff must immediately communicate it to the individuals within the organisation who are responsible for data protection e.g. a data protection officer and who will have a response plan in place to prevent further damage being caused. Communication in the event of a data breach is crucial to the containment of damage and should be encouraged amongst staff.
Step 3: Assessing a data breach
This step requires assessing the potential adverse consequences of the data breach, in particular the risk to the data subject’s rights and freedoms. Recital 85 of the GDPR explains that:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned”.
This means that a breach can have a range of adverse effects which include emotional distress, reputational, physical and financial damage. You will need to analyse this on a case by case basis, looking at all relevant factors such as the type of data involved, how sensitive the data is, how many records were affected, what impact the records being made public will have on the data subject and whether encryption was used.
This analysis will assist in determining the likelihood and severity of the resulting risk to the data subject which will, in turn, facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
Step 4: Reporting a data breach
Information Commissioners Office (ICO) - If after undertaking your assessment, you determine that there is a likely risk of harm to the data subject’s rights and freedom, then you must notify the ICO. You must do so without undue delay and within 24 hours, but in any event within 72 hours of becoming aware of the breach. If you take longer than this, you must give reasons for the delay. The ICO must be provided as a minimum with the following details:
- The nature of the breach, including the approximate number of individuals affected and the categories of data that have been breached;
- Contact details of the organisation’s data protection officer or other contact point where more information can be obtained;
- The likely consequences of the personal data breach;
- The measures taken or proposed measures to be taken by the organisation to address the breach.
If the risk of harm is unlikely then you do not have to report it, but you do need to justify your decision and should document it.
Data Subjects - If the breach is likely to result in a “high risk” to the rights and freedoms of the data subject, you must also inform those directly concerned without undue delay.
A “high risk” means the threshold for informing data subjects is higher than for notifying the ICO. However, this additional notification will not be required if:
- Appropriate technical and organisational protection measures have been implemented and applied to the affected personal data;
- Subsequent measures have been taken to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialise; and
- It would involve disproportionate effort to notify individual data subjects. In this circumstance, a public announcement may be more appropriate.
Remember that failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
Step 5: Recording a data breach
Organisations must keep a record of any personal data breaches, regardless of whether they are required to notify and they must also document their decision-making process in line with the requirements of the GDPR accountability principle.
By implementing robust breach detection, investigation and internal reporting, organisations will be putting themselves in the strongest possible position to meet the above strict requirements and to do so within the tight timeframe provided.