Advice for data controllers
On Thursday 19 July 2018 the ICO hosted a webinar on Data Breach Reporting. It was aimed at Data Controllers and provided advice and guidance on how and when to report security breaches to the ICO, following the introduction of the General Data Protection Regulation (GDPR), on 25th May 2018. Click here to download our free 11 Step GDPR E-book.
The General Data Protection Regulation (GDPR) introduces a duty to report certain types of personal data breaches to the Information Commissioner’s Office, (ICO), within 72 hours of becoming aware of the breach. Failure to do so may result in a fine of up to 10 million euros or 2 per cent of your global turnover.
This means that you must implement robust measures that will enable you to detect, investigate and report personal data breaches, and assess if they require formal reporting to the Information Commissioner or those individuals to whom the personal data breach relates.
So, what is a personal data breach?
The GDPR defines a personal data breach as “….a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
This includes breaches that are the result of accidental or deliberate causes. It also means that a breach is more than just about losing personal data.
To assist the identification of a data breach, the ICO considered three specific types of data breach, whilst recognising that in practice a breach may include elements of more than one of these.
- Confidentiality: an unauthorised or accidental disclosure of, or access to, personal data. This includes lost data.
- Integrity: an unauthorised or accidental alteration to personal data, including partial losses arising from technical disruptions.
- Availability: an accidental or unauthorised loss of access to, or destruction of, personal data.
Identifying personal data breaches
It is the responsibility of the Data Controller to put in place suitable measures that will not only protect personal data from breaches, but identify breaches if they occur, and provide an appropriate response to the breach. The Data Controller becomes aware that a breach has occurred when there is a reasonable degree of certainty that a security incident has led to personal data being compromised.
Assessing data breaches
Not all data breaches are required to be reported to the Information Commissioner. The Information Commissioner’s Office must be informed if the breach is likely to result in a risk to the rights and freedoms of an individual, for example, discrimination, damage to reputation, financial loss, loss of confidentiality or other economic or social disadvantage. This should be assessed on a case by case basis.
Furthermore, where a breach is likely to result in a “high risk” of adversely affecting an individual’s rights and freedoms, you must notify the individual directly.
When assessing these risks, you should consider a combination of the severity and the likelihood of the potential negative consequences of a breach. Factors to consider include:
- the type of breach,
- the nature, sensitivity, and volume of personal data,
- how easy it is to identify individuals,
- the potential consequences, and
- any special characteristics of the individual, for example, are they children.
Notifiable breaches must be reported to the ICO without undue delay, and not later than 72 hours after becoming aware of it, where feasible. The 72 hours includes weekends, evenings, and bank holidays, and if you take longer than this you must provide a reason for the delay.
What Does the ICO need to know?
Where the personal data breach is assessed as a risk to individuals, you must describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned. In addition, you should inform the ICO of:
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach, and
- a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR requires you to provide this information, in clear and plain language, to those concerned, directly as soon as possible.
Regardless of whether you inform the ICO and / or the individual, you should properly document your risk assessment and decision-making process.
If you decide not to notify individuals, the ICO has the power to compel you to inform the affected individuals if they consider there is a high risk.
To meet the requirements of the GDPR in respect of personal data breach management and reporting you should have in place the following measures:
- a comprehensive security incident management plan designed to identify, assess, and remedy security incidents;
- a formal risk assessment process that identifies incidents that are notifiable to the ICO or data subjects;
- a reporting procedure that meets the timely requirements of the ICO;
- appropriate technical and organisational measures designed to maintain the security of personal data, and
- robust business continuity plans designed to ensure the continued availability of personal data.
These measures should be supported by documented policies and procedures.