GDPR Blog Week 6: Security Breaches
The GDPR has made some important changes to the area of data breaches and the notifications a data controller is required to make to the ICO (Information Commissioner’s Office).
You may recall that a data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
This covers loss, theft or damage of physical equipment on which personal data is stored. If an organisation has inadequate access controls (i.e. passwords) which has allowed unauthorised use, then this would constitute a security breach but it also covers human error and unforeseen factors like fire or flooding. Remember there need not be anything sinister in the manner in which the data has been breached, merely that it has been removed from the boundaries of protection usually provided to it, is sufficient.
Presently, there is no legal requirement to report a data breach but under the GDPR this will change. The Regulations create an obligation on the controller to notify the ICO without undue delay and in any event, within 72 hours of the time that you become aware of the breach. If you outsource your data processing activities then your processor must alert you to a breach and it will be important to review your data processing contracts to ensure they are obligated to do so within strict time limits. Data subjects must also be notified about a breach where it presents a high risk to the individual affected. The ICO guidance clarifies that where this involves a disproportionate effort because of the volume of data subjects, this may be achieved with a public communication although we have yet to understand in what circumstances a public communication could occur.
There are some exceptions to this rule and you can avoid a notification to the ICO if the breach is unlikely to result in a risk to the data subject. You can also avoid notifying the data subject if the breach is unlikely to result in a high risk to them. Whilst the GDPR is silent on a definition of “risk” and “high risk”, the indication is that a breach without ramifications or risk to the data subject would fit this description. An example of this would be where there was a loss of encrypted/pseudonymised or destroyed data but a back-up recovery process would allow for data retrieval. If you are in any doubt about whether a breach is reportable then consult with the ICO who will advise whether a formal notification should be made to them and/or to the data subject.
At the point where a notification must be made, remember that the ICO don’t need a full and comprehensive report – you may not know the extent of the breach or data targeted at this point – but you will provide a valid notification if you ensure they have a few key facts. The notification should contain details about the number of data subjects and number and category of records concerned, if possible. It should also give a description of the likely consequences of a breach and the measures that have been taken to deal with the breach. A name and contact number of the DPO within the organisation should also be provided. Any additional information can be passed to them as and when it becomes available.
My advice would be to put in place a Data Breach Response Plan now to guide you through a breach if/when it occurs. Failure to make a valid notification may result in a fine, even if you are in every other way, GDPR compliant. Consider whether you are required to carry out a Data Protection Impact Assessment (DPIA) and whether you are embedding Privacy by Design into your processes (more on these later). Own a Breach Register so that you can list all breaches, even those that are not reportable, as you will need to evidence why you did not consider a notification necessary. This will ensure that you keep your house in order if audited at some later date.
I hope that this blog has been helpful but please don’t hesitate to contact me, Louise Weatherhead at Louise.firstname.lastname@example.org or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.
We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready. Next week, our topic will be Privacy Notices in your business or organisation. We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.