The General Data Protection Regulation introduces a requirement for controllers to notify personal data breaches to the relevant supervisory authority. Whilst new to the UK, many member states already have in place a notification obligation for personal data breaches, either limited to particular categories of controllers or, in the Netherlands, for all personal data breaches. This blog post shall address some of the main queries arising in relation to this obligation as it exists under the GDPR.
Do all breaches need to be reported?
No. Not all data breaches will need to be reported. Only those that are likely to result in a risk to the rights and freedoms of individuals. If such a risk is likely, controllers must notify the ICO without undue delay, and no later than 72 hours after having become aware of it. A controller will be considered to have “become aware” when it has a reasonable degree of certainty that a security incident has occurred and has led to personal data being compromised. The emphasis is always on taking prompt action. Data breach reports to the supervisory authority must contain, as a minimum, all of the information set out in Article 33(3) of the GDPR.
If personal data is already publically available, a disclosure of that data may not constitute a likely risk to the individual concerned.
If personal data has been made unintelligible to unauthorised parties and a copy or backup exists, a confidentiality breach involving properly encrypted personal data may not need to be notified to the supervising authority, depending on the length of time taken to restore data from the backup and the effect this has on individuals. Also, if circumstances change - for example if the encryption key is subsequently found to be compromised - notification may then be required.
Do we have to keep internal records of breaches?
Yes – all breaches must be documented – even those that do not need to be reported. Organisations should keep an Internal Register of Breaches for this purpose and someone should be assigned the task of completing this for all breaches.
What kind of incidents constitute a breach for the purposes of GDPR?
The GDPR defines “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Any unauthorised alteration or corruption of data will count as “damage”. “Loss” is to be interpreted as including any situation where the controller has lost control or access to it as well as when it no longer has the data in its possession. Examples include: where a controller has lost a decryption key, where a USB key containing unencrypted personal data has been lost, a third party informs a controller that they have accidentally received personal data of one of its customers and provides evidence to this effect, or where a controller detects and confirms that there has been an intrusion into its network and that personal data has been compromised.
If we suffer a temporary loss of availability to personal data, does this count as a breach that needs to be notified?
This will depend on the circumstances but potentially yes. A temporary loss of access to data is still a data breach so must always be documented. Whether it needs to be reported or not will depend on the impact that the temporary breach could have on individuals whose personal data is affected. The examples given by the Article 29 Working Party are firstly the situation where in a hospital’s critical medical data about patients is temporarily unavailable. This could present a risk to individuals’ rights and freedoms so must be reported. However, in the case of a media company whose systems are unavailable for several hours and as a results newsletters cannot be sent to clients, this is unlikely to present a risk to individuals’ rights and freedoms so will not need to be notified.
Note that planned maintenance on a system resulting in short temporary access to personal data will not constitute a breach.
Do we need to tell the individuals whose data the breach relates to?
Controllers must inform individuals about any personal data breaches where there is a high risk to the individuals’ rights and freedoms. In such a situation, individuals must be informed without undue delay. The communication must use clear and plain language and contain, as a minimum, the following information:
- A description of the nature of the breach;
- The name and contact details of the data protection officer or other contact point;
- A description of the likely consequences of the breach; and
- A description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
Good practice would also be, where possible, to provide specific advice to individuals to protect themselves from possible adverse effects as a result of a breach (such as resetting passwords if credentials have been compromised).
There are three conditions which if met, means that no notification to the individual will be required even if there is initially a high risk to the rights and freedoms of the individuals (unless circumstances change at a later time):
- The controller has applied technical and organisational measures to protect personal data prior to the breach e.g. state of the art encryption
- Immediately following the breach the controller has taken steps to ensure that the high risk posted to individuals’ rights and freedoms is no longer likely to materialise
- It would involve disproportionate effort to contact individuals, for example where their contact details have been lost as a result of the breach or are not known in the first place. Instead, the controller must make a public communication or take a similar measure whereby individuals are informed in an equally effective manner.
What if I don’t know all relevant details as to what has happened yet?
Even if you do not have all relevant details about the breach, you must still notify the supervising authority as soon as you know that there is a potential risk involved. Information can be provided to them in phases so you can update them with more information.
We have lost some personal data but no financial information was included – does this still count as a breach?
Yes. A breach can have a range of significant adverse effects on individuals and is not limited to financial loss. Damage can be physical, material or on-material damage so can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data by professional secrecy.
I’m not a data controller but am a subcontractor who does process data. Do I have to notify breaches?
Data processors do not escape without responsibility - they also have an obligation to report any breaches to their controller without undue delay after becoming aware of a personal data breach. For this reason it is also a good idea for data processors to have a documented notification procedure in place.
What happens if I don’t notify the ICO or the individual about a breach?
Failure to report a breach either to the supervising authority or the individual (if required) may mean that under Article 83 a possible sanction is applicable. The supervising authority has a range of corrective measures at its disposal including administrative fines, which in this case could be up to 10M Euros or up to 2% of annual worldwide turnover of the undertaking. If there is a breach and a controller fails to notify, the supervising authority can issue a sanction for (i) failure to notify or communicate the breach and (ii) also potentially for the absence of adequate security measures as these are two separate infringements.
Note that it is better to err on the side of caution. There is no penalty for reporting what you believe to be a breach, which later transpires not to be a breach.
If there are a number of small breaches, can I report them all at the same time?
This is possible only in limited circumstances. Each individual personal data breach is a reportable incident. However, the controller may be able to submit a “bundled” notification representing all the breaches, as long as they concern the same type of personal data breached in the same way, over a relatively short space of time. In any other situation, each breach must be reported separately.
If I process data of individuals in different Member States, who do I notify?
Firstly you must establish whether your activity falls within the definition of cross-border processing for the purposes of the GDPR. If it established that cross-border processing is involved and a breach occurs, you must notify the lead supervising authority. Note that this may not be where the data subjects are located or where the breach took place.
The lead supervising authority is usually the supervisory authority of the main establishment or of the single establishment of the controller or processor. The main establishment is where the central administration of the controller is. This is the place where the decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented. If you are unsure you should seek legal guidance on this issue.
What action should I be taking now to prepare for GDPR compliance?
There are a number of steps which should be taken as soon as possible, including the following:
- All controllers and processors must have in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed to the personal data being processed. The measures used must be able to establish immediately whether a breach has taken place. Technical measures could include data flow and log analysers. A data audit is a good starting point to establish what data is held, how it is used, who has access to it, how long it is kept and what security measures are currently in place.
- Controllers and processors need to put in place processes to:
- be able to detect and promptly contain a breach;
- assess the risk to individuals;
- determine whether it is necessary to notify the competent supervisory authority; and
- communicate the breach to the individuals concerned where necessary.
- Within an organisation, someone (or more than one person) should be tasked with taking responsibility for addressing incidents, establishing the existence of a breach and assessing the risk (This could be the Data Protection Office if the organisation has appointed one). This person/people must be adequately trained on the GDPR requirements including completion of the Internal Register of Breaches and any Breach Reports required.
- Prepare an Incident Response Plan, including guidelines on the above steps and reporting mechanisms.
- Staff should be educated on the GDPR requirements, the organisation’s Incident Response Plan ensuring that they understand procedures to follow in case of a breach.