What is a personal data breach, and what should I do if I think I have suffered a breach?29th April 2021
The UK GDPR puts an obligation on all organisations to record and, in some cases, report personal data breaches to the appropriate Data Protection Authority (DPA), and in specific cases to the Data Subject themselves.
Organisational policies will often say something like, ‘… should a data breach occur notify IT or the InfoSec Team without delay’. The key question is would all members of your team at every stage of their employment journey know what constitutes a personal data breach? and crucially, do they know what action needs to be taken if they discover you have suffered a breach?
Is everyone clear about which personal data breaches need reporting and which don’t?
According to the Information Commissioner, “You should ensure you have robust breach detection, investigation and internal reporting procedures in place.”
We have summarised our advice below.
How to recognise a personal data breach
If you can answer yes to these questions, it is likely you have a personal data breach:
- Has there been a incident that has affected or compromised the security, integrity, trustworthiness or availability of personal data?
Whether this is human error, malicious, accidental or deliberate is irrelevant.
- Has personal data been lost, for example left on public transport or laptop stolen?
- Has personal data been destroyed prematurely?
- Has personal data been corrupted?
- Has personal data been disclosed to unauthorised parties?
- Has an unauthorised person accessed personal data?
- Has personal data been passed on without proper authorisation?
- Has personal data been made unavailable, for example in a ransomware attack and this may have a detrimental effect on individuals?
If you answer ‘yes’ to any of the above, you potentially have suffered a personal data breach and must address the matter.
The highest priority of a Controller is to protect Data Subjects and your first question must be could any harm come to this individual as a result of this breach, in a worse case example the personal data of a victim could be accidentally shared with a perpetrator and your priority is to protect the Data Subject. Assuming we are not dealing with life and death matters the next most significant issue is whether the breach needs to be notified to the ICO and at an appropriate time, the individuals concerned.
What to do if we have had a personal data breach?
Firstly, in order to minimise potential consequences, contain the breach and take steps to make sure it can’t happen again.
Then you must assess the severity of the breach. What is the risk to the individuals concerned and potentially other third parties? What harm may be caused to the organisation, employees, shareholders, reputation etc, you must consider the negative impact that the breach will have.
It is important to note that when managing a breach, especially large or significant matters, the commercial considerations of an organisation never outweigh the obligations to protect individuals and report to the DPA. It is partly for this reason that a DPO should be independent and have no conflict of interests, for example, if the DPO was also the CEO they may be more concerned with public image than robustly managing the breach.
Each case should be judged carefully on the facts of the matter, and to do that you may wish to consider the following risks or detriments:-
- Could the Data Subject suffer any physical or mental harm or distress, or suffer any financial or material loss?
- Could the breach cause them to lose any or all of their legal rights?
- Could the breach result in them suffering discrimination?
- Is their identity at risk of theft or fraud?
- Could their reputation be damaged?
- Could their privacy be affected or may any information which they can you in confidence be compromised?
The ICO site throws a very wide net when asking you to consider risks the impact on individuals and states that you must also consider “ any other significant economic or social disadvantage to the natural person concerned.”
If you feel that any of the above is a possibility then you must notify the individuals concerned promptly so that they can take any mitigating action to protect themselves, should this be required.
However, if the breach will not pose a ‘high risk’ to the rights and freedoms of the individuals you would not have to notify the individual.
However, even if you decide that the risk is low and you do not need to inform the Data Subjects involved, you may still need to notify the ICO if there is a risk to “people’s rights and freedoms.” With every actual and potential breach you must document the incident and all relevant details in case you need to justify your decision-making further down the line.
How long do we have to notify a personal data breach to the ICO?
Assuming a breach is reportable the UK GDPR and Data Protection Act states that you must report a notifiable breach to the appropriate DPA, which in our case is the ICO, without undue delay, but no later than 72 hours after becoming aware of it.
Note the ‘becoming aware of it’ clause. This means when the Controller became aware of it, not when the DPO was informed. 72 hours is just 3 days and so if the breach occurred on a Friday afternoon, but Monday afternoon your initial report to the ICO must be submitted or you will be in breach. In December 2020 the Irish Data Protection Commission fined Twitter €450,000 for failing to manage a data breach correctly and reporting late.
Other things to consider
You must not only manage a breach correctly but be able to prove that you have done so, remember:-
- Document everything.
- Put clear policies and procedures in place, hopefully to prevent the breach, but if one does occur that everyone knows the actions to take.
- Investigate the cause of the breach and takes steps to prevent it from happening again, whether a system failure or human error cause that problem.
- According to the ICO human error is the leading cause of data breaches; they suggest “mandatory data protection induction and refresher training.”
- Within your organisation ensure that personnel are comfortable enough to report breaches and know how to do it – foster an open-blame free culture.
- Make sure all your digital systems are robustly protected with up-to-date technical measures and aligned to the highest data protection and cyber security protocols.
As an aside, I would like to point out that we advise our clients to train their staff in identifying and reporting data ‘incidents’, this deliberately has a very wide definition and in this way colleagues do not get confused or side-tracked by trying to figure out if an incident is a breach or not. All incidents get reported to the DPO or compliance teams who then classify the matter as a breach or not – simple.
If you would like further information or advice or would like to arrange for training for yourself or your wider team, please do get in touch or take advantage of our 30-minute complimentary consultation session. Book your no-obligation consultation here.
Find out more about our training courses here.