There’s a lot of confusion about data breach reporting – the GDPR says you have to report breaches but the Information Commissioner’s Office (ICO) says too many are being reported. There are several issues around data breach reporting. Here we will just explore the question of whether you need to report or not. If you need further advice on this or any other aspect of data protection please get in touch.
What does the GDPR actually say?
Reporting a data breach to the ICO
Article 33 says:
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The first thing to note is that this only relates to personal data breaches, defined in Article 4 as:
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
Essentially, there is a personal data breach when the data controller no longer has control of the personal data. If the breach relates to data which is not personal data then the GDPR breach reporting requirement does not apply.
The Article 32 wording is slightly convoluted but:
- You need to assess the level of likelihood of risk to data subjects. If it is likely that there is risk you need to report the breach to the ICO.
- Once you are aware that there has been a breach, unless you can argue for extra time, you have 72 hours to inform the ICO
Reporting a data breach to the data subject
Article 34 says:
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
(a) the controller has implemented appropriate technical and organisational protection measures, and that those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
- You need to assess the level of likelihood of high risk to data subjects. If it is likely that there is high risk, you need to inform the data subjects about the breach.
- If you need to inform data subjects, this must be done ‘without undue delay’, unless:
- You have applied ‘appropriate technical and organisational protection measures’ to the relevant data – essentially, this means either encryption or pseudonymisation, or
- You have, subsequent to the breach, taken measures to remove the risk to data subjects, or
- It would involve ‘disproportionate effort. In this case you would need to find some other way of notifying data subjects, such as advertisements in local newspapers or radio. This would, of course, create very bad publicity.
The first thing to do, before you have a personal data breach, is to prepare a procedure for handling a breach. Without this, the most likely outcome is panic.
Risk level of a Personal Data Breach
The hardest thing here is to decide the level of risk. To a large extent, this should be worked out in advance as part of your personal data audit. For each data item in your data audit you should think about the different ways it could be used to harm a data subject and decide on a risk level – this may involve physical, material or non-material damage, such as discrimination (including hate crimes), identity theft or fraud, financial loss and damage to reputation. This now starts to get difficult, but you should also consider risk levels for combinations of data as this may well be much higher than for individual items. The context of the data may be very significant, for example, a list of people who have cancelled deliveries may be fairly innocuous, but if they have cancelled deliveries because they are on holiday it is much more sensitive.
You should also consider the way in which a data breach can occur – a deliberate data breach is more likely to result in risk than a simple mistake as someone clearly wants the data, presumably with a purpose for it.
Almost certainly, if the data breach involves special categories of personal data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, sex life or sexual orientation data), criminal convictions of financial/banking data, then there will be high risk.
Other issues which relate to level of risk include the volume of data and the number of data subjects, the ease of identifying data subjects (e.g. access to another database may be required to identify the users of mobile phone numbers), the vulnerability of data subjects.
For any fellow geeks reading this, the European Union Agency for Network and Information Security (ENISA) has produced ‘Recommendations for a methodology of the assessment of severity of personal data breaches’.
Timing of a Data Breach Report
Unless you have very good reason, reporting to the ICO must be done within 72 hours of being aware of a breach. You are deemed to be aware of it when either anyone in your organisation or any of your data processors is aware of it. It is very important to deal with this in the required timescale – you don’t have to carry out a full investigation first, the information required by Article 33 can be provided in phases.
Notifying data subjects, when required, must be done ‘without undue delay’. Clearly, this is likely to be after reporting to the ICO. It may take a while to identify the data subjects affected by the breach. Notifying data subjects is all about transparency and allowing data subjects to protect themselves against possible consequences of the breach. In most cases it should be possible to obtain advice from the ICO on the need to notify data subjects.
If you have ‘appropriate technological and organisational measures’ in place to keep personal data secure, then a data breach will not constitute a breach of the legislation (although it may be embarrassing and damage your reputation). However, it may still need to be reported – not doing so may be a breach of the legislation. If it is a significant breach, somebody will almost certainly report it to the ICO … it is better if it comes from you, and, until there is clearer guidance on the concepts of ‘risk’ and ‘high risk’ you probably should not hold back, even if the ICO is complaining about over-reporting.
And … don’t forget this only applies to personal data breaches!