The General Data Protection Regulation introduces a requirement for controllers to notify personal data breaches to the relevant supervisory authority. Whilst new to the UK, many member states already have in place a notification obligation for personal data breaches, either limited to particular categories of controllers or, in the Netherlands, for all personal data breaches. This blog post shall address some of the main queries arising in relation to this obligation as it exists under the GDPR.
No. Not all data breaches will need to be reported. Only those that are likely to result in a risk to the rights and freedoms of individuals. If such a risk is likely, controllers must notify the ICO without undue delay, and no later than 72 hours after having become aware of it. A controller will be considered to have “become aware” when it has a reasonable degree of certainty that a security incident has occurred and has led to personal data being compromised. The emphasis is always on taking prompt action. Data breach reports to the supervisory authority must contain, as a minimum, all of the information set out in Article 33(3) of the GDPR.
If personal data is already publically available, a disclosure of that data may not constitute a likely risk to the individual concerned.
If personal data has been made unintelligible to unauthorised parties and a copy or backup exists, a confidentiality breach involving properly encrypted personal data may not need to be notified to the supervising authority, depending on the length of time taken to restore data from the backup and the effect this has on individuals. Also, if circumstances change - for example if the encryption key is subsequently found to be compromised - notification may then be required.
Yes – all breaches must be documented – even those that do not need to be reported. Organisations should keep an Internal Register of Breaches for this purpose and someone should be assigned the task of completing this for all breaches.
The GDPR defines “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Any unauthorised alteration or corruption of data will count as “damage”. “Loss” is to be interpreted as including any situation where the controller has lost control or access to it as well as when it no longer has the data in its possession. Examples include: where a controller has lost a decryption key, where a USB key containing unencrypted personal data has been lost, a third party informs a controller that they have accidentally received personal data of one of its customers and provides evidence to this effect, or where a controller detects and confirms that there has been an intrusion into its network and that personal data has been compromised.
This will depend on the circumstances but potentially yes. A temporary loss of access to data is still a data breach so must always be documented. Whether it needs to be reported or not will depend on the impact that the temporary breach could have on individuals whose personal data is affected. The examples given by the Article 29 Working Party are firstly the situation where in a hospital’s critical medical data about patients is temporarily unavailable. This could present a risk to individuals’ rights and freedoms so must be reported. However, in the case of a media company whose systems are unavailable for several hours and as a results newsletters cannot be sent to clients, this is unlikely to present a risk to individuals’ rights and freedoms so will not need to be notified.
Note that planned maintenance on a system resulting in short temporary access to personal data will not constitute a breach.
Controllers must inform individuals about any personal data breaches where there is a high risk to the individuals’ rights and freedoms. In such a situation, individuals must be informed without undue delay. The communication must use clear and plain language and contain, as a minimum, the following information:
Good practice would also be, where possible, to provide specific advice to individuals to protect themselves from possible adverse effects as a result of a breach (such as resetting passwords if credentials have been compromised).
There are three conditions which if met, means that no notification to the individual will be required even if there is initially a high risk to the rights and freedoms of the individuals (unless circumstances change at a later time):
Even if you do not have all relevant details about the breach, you must still notify the supervising authority as soon as you know that there is a potential risk involved. Information can be provided to them in phases so you can update them with more information.
Yes. A breach can have a range of significant adverse effects on individuals and is not limited to financial loss. Damage can be physical, material or on-material damage so can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data by professional secrecy.
Data processors do not escape without responsibility - they also have an obligation to report any breaches to their controller without undue delay after becoming aware of a personal data breach. For this reason it is also a good idea for data processors to have a documented notification procedure in place.
Failure to report a breach either to the supervising authority or the individual (if required) may mean that under Article 83 a possible sanction is applicable. The supervising authority has a range of corrective measures at its disposal including administrative fines, which in this case could be up to 10M Euros or up to 2% of annual worldwide turnover of the undertaking. If there is a breach and a controller fails to notify, the supervising authority can issue a sanction for (i) failure to notify or communicate the breach and (ii) also potentially for the absence of adequate security measures as these are two separate infringements.
Note that it is better to err on the side of caution. There is no penalty for reporting what you believe to be a breach, which later transpires not to be a breach.
This is possible only in limited circumstances. Each individual personal data breach is a reportable incident. However, the controller may be able to submit a “bundled” notification representing all the breaches, as long as they concern the same type of personal data breached in the same way, over a relatively short space of time. In any other situation, each breach must be reported separately.
Firstly you must establish whether your activity falls within the definition of cross-border processing for the purposes of the GDPR. If it established that cross-border processing is involved and a breach occurs, you must notify the lead supervising authority. Note that this may not be where the data subjects are located or where the breach took place.
The lead supervising authority is usually the supervisory authority of the main establishment or of the single establishment of the controller or processor. The main establishment is where the central administration of the controller is. This is the place where the decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented. If you are unsure you should seek legal guidance on this issue.
There are a number of steps which should be taken as soon as possible, including the following:
For more information on GDPR, contact andy.harris@mbmcommercial.co.uk.