GDPR: what to do when a data breach occurs

Under the current UK data protection regime, governed by the Data Protection Act 1998, there is no general legal obligation on data controllers to report breaches of data security that result in the loss or compromise of personal data. It is very much up to an organisation to decide, on a case by case basis, whether to disclose a breach. However, the General Data Protection Regulation (GDPR) will introduce strict new reporting and record-keeping requirements in relation to data breaches.

Reporting to the Information Commissioner

Under the General Data Protection Regulations, once a personal data breach is established, if there is a risk to the rights and freedoms of individuals due to the breach, the applicable Data Controller is to:

• Notify the ICO without undue delay and by no later than 72 hours; and
• Notify the individual whose personal data is affected by the breach (save in specific circumstances, see below).

If the notification to the ICO is not made within 72 hours, it should still be submitted but with reasons provided for the delay.

What should the report contain?

Any notification to the ICO should include at least:

• The nature of the personal data breach (and, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned);
• The name and contact details of the Data Protection Officer (if applicable) or other point of contact where more information can be obtained;
• A description of the likely consequences of the personal data breach; and
• The measures taken or proposed to be taken by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Any data processor is to notify the Data Controller, without undue delay, on becoming aware of any personal data breach.

When will ICO-reported data breaches not have to be reported to affected individuals?

If the matter has been reported to the ICO, the Data Controller will have to notify the affected individual, except where the following apply:

• The Data Controller has implemented appropriate technical and organisational protection measures to the data affected by the breach to make the personal data unintelligible;
• The Data Controller has taken subsequent measures which ensure that the high risk to the Data Subjects would no longer be likely to materialise; or
• It would involve disproportionate effort, in which case a public communication (or similar) should be made to inform the Data Subjects.

When data breaches do not have to be reported to the ICO

If the breach is unlikely to result in a risk to the rights and freedoms of individuals then no report to the ICO needs to be made.

If you would like to discuss the circumstances in which a data breach will present a risk and when a report should be made, please do not hesitate to get in touch.

Requirement to record all breaches

Under the GDPR, the Data Controller is still to document any personal data breaches, their effects and any remedial action taken, even if the breach is unlikely to result in a risk to the rights and freedoms of individuals.

That documentation should be stored to be available for assessment by the ICO.

This requirement has not been highlighted very much and could go unnoticed. For example, the ICO’s most recent blog on reporting data breaches made no reference to recording low-risk breaches. However, it remains a requirement and a failure to effectively maintain a record of all data breaches (whether or not they pose risk) is a failure to comply with the GDPR, which requires employers to be transparent and accountable in all aspects of their data handling.

What do I need to do?

Your preparations for the GDPR need to include steps to raise staff awareness of the new mandatory reporting requirement. Remember that failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

Make sure that your staff know how to recognise a data breach and understand that this goes further than the loss or theft of information (including, for example, inappropriate access to or distribution of data) and that there are internal reporting requirements.

Under the new reporting regime, the timescale for reporting a breach is tight. You will need to think carefully about whether your internal breach reporting procedures are fit for purpose. Who should concerned staff report to? How will you decide when a breach should be notified to the ICO/those affected? Who will be responsible for record keeping?

If you would like any assistance with this, we would be happy to help you design a robust approach/policy to safeguard your organisation.