This blog has been updated to reflect industry updates. Originally published 24 October 2018.
The first 72 hours after you become aware of a data breach are critical. This is the deadline given to you under the EU GDPR (General Data Protection Regulation) to report information security incidents to your supervisory authority.
As you might expect, there are a lot of intricacies involved. This blog guides you through everything you need to know about the GDPR’s personal data breach notification requirements, including how to report incidents and the potential repercussions for failing to comply.
Not all breaches need to be reported
Data breaches only need to be reported if they “pose a risk to the rights and freedoms of natural living persons”. This generally refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses.
Most breaches fit into this category, but not all of them. For example, if the information can’t be linked to a specific individual, there’s likely to be very little risk.
Whether you are required to notify or not, the GDPR mandates that you keep a record of all personal data breaches. This make the response process a little simpler, as the initial steps will be the same regardless of whether the breach needs to be reported. You can focus on assessing the incident, cauterising the damage and documenting the steps you’ve taken. From there you can determine whether you need to report the incident.
How to report data breaches
Data breach notifications need to be sent to your supervisory authority. For organisations in the UK, this is the ICO (Information Commissioner’s Office). Your report must contain:
- Situational analysis: Provide as much context as possible, including the initial damage (what happened), how it affected your organisation (what went wrong) and what caused it (how it happened).
- Assessment of affected data: Ascertain the categories of personal data and the number of records concerned.
- Description of the impact: Describe the consequences of the breach for affected parties. This will depend on the information that was compromised.
- Report on staff training and awareness: If the breach was a result of human error, did the employee(s) involved receive data protection training in the past two years? Provide details of your staff awareness training programme.
- Preventive measures and actions: What measures did you have in place before the breach to prevent incidents like this from occurring? What steps have you taken, or plan to take, to mitigate the damage?
- Oversight: Provide the contact details of your DPO (data protection officer) or the person responsible for data protection.
The GDPR acknowledges that it will be hard to produce this much information within 72 hours. You’re not expected to provide comprehensive details, but it’s important to get the process going as quickly as possible. Your investigation will almost certainly continue beyond the notification deadline, and you can provide further information to the ICO when it becomes available.
Will you be fined if you don’t report an incident?
Failing to report an incident is a violation of the GDPR and is punishable by a fine. However, the ICO has repeatedly said that fines will be a last resort and only issued for egregious or repeat offences.
That’s not to say failure to notify won’t come with any form of penalty. The ICO can discipline organisations in other ways, such as enforcement actions and audits. If this happens, your compliance measures will be scrutinised, weaknesses will be flagged and you’ll be expected to make the appropriate changes.
Some organisations have criticised this approach, saying that the data breach should be punishment enough. However, Information Commissioner Elizabeth Denham insists that the ICO’s response measures aren’t punishments. “The law is designed to push companies and public bodies to step up their ability to detect and deter breaches,” she said. “What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.”
She added: “We understand that there will [still] be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.”
Are you ready for a breach?
The GDPR has been in effect for a few months now, but it’s not as though the compliance deadline was a cut-off point for addressing its requirements. Most organisations still have a lot of work to do, and they should keep plugging away with their available resources.
This not only helps reduce the risk of a data breach and moves them closer to GDPR compliance but it also demonstrates to the ICO that they are doing everything in their power to address information security. The ICO has said that it will be lenient on organisations that can demonstrate that they are taking steps to improve their compliance posture.
In the meantime, ensure you’ll handle any breaches in a compliant manner with our data breach support service. This service will determine what happened, report to the ICO where needed and report to data subjects if needed.