xReporting personal data breaches
Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Obligation to report
The GDPR obliges the data controller to notify the Information Commissioner’s Office (ICO) of a personal data breach without undue delay and within 72 hours after having become aware of it. This means you have a reasonable degree of certainty that a security incident has occurred. You do not need to report the personal data breach if it is unlikely to result in a risk to the rights and freedoms of individuals. If the notification is not made within 72 hours, then there must be a reasoned justification for that delay to accompany the notification.
Three types of breaches are identified and all three may take place at the same time:
‘Confidentiality breach’ – where there is an unauthorised or accidental disclosure of, or access to, personal data.
‘Availability breach’ – where there is an accidental or unauthorised loss of access to, or destruction of, personal data, which could be permanent or temporary.
‘Integrity breach’ – where there is an unauthorised or accidental alteration of personal data.
In considering whether there is an obligation to report an incident, you should consider if there is likely to be an impact on the data subject’s physical wellbeing, property and finances or reputation. Potential damage could include a loss of control over their personal data, or an impact on them in terms of discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of data protected by professional confidentiality or any other economic or social disadvantage to the individual concerned.
Contracts with processors must contain a requirement for personal data breaches to be reported to the data controller without undue delay, which has been interpreted as immediately.
What information must be provided to the ICO?
The notification to the ICO should include:
- A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of data records concerned
- The name and contact details of the data protection officer or other contact point where more information can be obtained
- The likely consequences of the personal data breach
- The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, to mitigate its possible adverse effects
It may not be possible to provide all this information at the time of notification, but it should then be provided without undue delay. We would recommend that information is only provided to the ICO after legal advice has been sought and once there is a clear indication of what has taken place. It will often not be possible to provide all of this information within 72 hours but every organisation should have a process in place to respond to breaches and professional advisers to call on to ensure that an immediate and effective investigation is carried out in response to a breach in order to fulfil the obligations under the GDPR.
The controller is under an obligation to document any personal data breaches, whether they are reported or not, in a personal data breach register. This should detail the facts surrounding the breach, its effects and the remedial action taken. It should be reviewed to identify any recurring security or other issues. The documentation must enable the ICO to verify compliance with the notification obligations and so must contain information about why a decision was taken not to report a breach.
Reporting data breaches to the data subject
If a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the controller is obliged to advise them without undue delay so that they can take the necessary precautions. The loss of, or unauthorised access to, any special category data is likely to require to be reported to the data subject, as would the loss of, or unauthorised access to, financial data, particularly if it can be used to access an individual’s bank account and/or commit identity fraud.
The ICO may also be involved at this stage – advice how this is done and guidance issued by them should be followed. It may be responsible to advise data subjects before advising the ICO in cases where prompt action on the part of the data subject could avoid any potential damage.
Your clients should be advised of the breach in plain language and the notification should describe the nature of the personal data breach, a description of the likely consequences and the steps taken to address the breach, including recommendations to the individual concerned to take action which may mitigate potential adverse effects. There should also be a point of contact where more information can be obtained from the controller.
Clients should be advised directly unless that would involve disproportionate effort, in which case it would be acceptable to provide a public communication.
Again, an assessment will be required about whether the breach requires to be reported. If you have implemented appropriate technical and organisational measures and, for example, all the electronic data compromised was encrypted, then you may not require to notify the data subjects concerned. Steps taken following the breach could also mean that any identified risks are no longer likely to materialise.
You need to take into account: the nature, sensitivity and volume of personal data; the ease of identification of individuals; the severity of the consequences for individuals; any special characteristics of the individuals; the number of individuals affected; and any special characteristics of the data controller, ie they owe a duty of confidentiality to the data subject over and above their obligations under the GDPR.
The ICO can insist that the controller notifies data subjects if it believes that there is a likelihood of a high risk.
For more information see the ICO website on personal data breaches.
Case study - data breach
Our high street firm has created a simple incident log to record any personal data breaches, whether reported or not.
Contact: Joan Smith, Data Protection Lead at High St Firm, joansmith@highstreet.co.uk
Nature of incident/breach | Potential consequences of the breach | Data subject informed | ICO informed (72hrs) | Actions taken/ changes made as a result of the breach |
---|---|---|---|---|
GDPR guide for law firms
Data protection regulations from the perspective of a legal practice
- Ten steps
- Law firms as data controllers
- Create a record of data processing
- Marketing
- Client confidentiality, legal privilege and limited exemptions
- Sharing data with third parties
- Data retention
- Data protection officers
- AML and data protection
- Security
- Reporting personal data breaches
- Requests for copies of personal data
- Appendix 1 - Consent
- xCreate a record of data processing
- Appendix 2 - Example of a data protection policy
- Example of Privacy Notice
- xClient confidentiality, legal privilege and limited exemptions
- xData retention
- xSharing data with third parties
- xData protection officers
- xSecurity
- xReporting personal data breaches
- xRequests for client personal data
- Appendix 1 - Consent
- Appendix 2 - Example of a data protection policy