The first 72 hours after you discover a data breach are critical.
Why? The GDPR (General Data Protection Regulation) requires all organisations to report certain types of personal data breach to the relevant supervisory authority.
More specifically, Article 33 says that, in the event of a personal data breach, data controllers should notify the appropriate supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.
But how do you report a data breach, and what are the pitfalls when it comes to meeting this requirement?
In this post, we explain everything you need to know.
What is a data breach?
Let’s start with the basics. The GDPR is concerned only with personal data – i.e. information that relates to a natural person, as opposed to company details. It’s only when personal data is breached that you need to consider your GDPR compliance requirements.
But ‘breach’ here doesn’t simply refer to cyber attacks. Article 4 of the Regulation defines a personal data breach as any event that results in:
the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
As this definition suggests, data breaches aren’t always a result of cyber criminals hacking into an organisation’s systems. Breaches are just as likely to occur when an employee:
- Accidentally sends personal information to the wrong person;
- Accesses files that aren’t relevant to their job function;
- Shares information with someone outside the organisation;
- Loses a device, such as a laptop, that contains personal information; or
- Fails to secure information online, making it publicly available.
Incidents that render organisations unable to access systems containing personal data are also considered data breaches, such ransomware attacks or damaged hardware, because the information is no longer accessible.
Recommended reading: GDPR: How the definition of personal data has changed
When do data breaches need to be reported?
Data breaches only need to be reported if they “pose a risk to the rights and freedoms of natural living persons”.
This generally refers to the possibility of affected individuals facing economic or social damage (such as discrimination), reputational damage or financial losses.
Most data breaches fit into this category, but those that don’t include information that are linked to a specific individual are unlikely to pose a risk.
Whether you are required to report a data breach or not, the GDPR mandates that you keep a record of it.
Be wary of overreporting
Whether it’s due to misunderstanding the GDPR’s compliance or an abundance of caution, many organisations overlook the difference between recordable and reportable data breaches.
This is a trend that John Potts, Head of DPO, DSAR & Breach Support at GRCI Law, has noted since the GDPR took effect on 25 May 2018.
Speaking to IT Governance, he explained that organisations often report every incident they experience, because they “want to inform the ICO before someone else does, so they can get their side of the story in first.”
Potts acknowledges that it’s best to err on the side of caution if you’re unsure whether a data breach needs to be reported, but urges organisations to take the opportunity to consider this rather than going straight into reporting mode. The ICO help line is always on hand to offer advice.
Potts added that organisations should be concerned not only about over-reporting incidents but also what is initially reported.
“In my experience, the ICO appreciates that sometimes all the details of the breach may not be known at the initial stage of reporting. It is more important that the rights of the data subject are protected as soon as possible rather than an organisation try to get their mitigation across to the ICO when they may not have a full picture,” he said.
“This desire to ‘fill in the form’ can lead to a knee-jerk reaction, meaning that the ICO and the organisation can go off on unnecessary avenues of investigations,” he added.
How to report a data breach
Data breach notifications need to be sent to your supervisory authority. For organisations in the UK, this is the ICO.
Your report must contain:
1) Situational analysis: You must provide as much context about the breach as possible. This includes the initial damage, how it affected your organisation, and what caused it.
2) Assessment of affected data: You’ll need to determine the categories of personal data that has been breached, and the number of records affected.
3) Description of the impact: Next, you’ll need to outline the consequences of the breach for affected parties. This will depend on the information that was compromised and if the data subject is aware of the breach
4) Report on staff training and awareness: If the breach was a result of human error, you’ll need to disclose whether or not the employee(s) involved received data protection training in the past two years. If they have, you should provide details of your staff awareness training programme.
5) Preventive measures and actions: Outline what (if any) preventative measures you had place before the breach occurred. You should also explain what steps have you taken, or plan to take, to mitigate the damage.
6) Oversight: Finally, you’ll need to provide the contact details of your DPO (data protection officer) or the person responsible for data protection.
The GDPR acknowledges that it may be difficult to produce this much information within 72 hours, but the important thing is to demonstrate that you’ve made progress.
You don’t need to be obsessed over an exact 72-hour deadline. It is far more important that the risks to the data subjects are addressed.
The timings of breaches are not an exact science; if you find yourself approaching the 72-hour deadline, contact the ICO with the specific not speculative details that you have.
A swift response that’s documented clearly but sent a few hours late is better than a shoddy response that was rushed in order to meet the disclosure deadline, Potts advises.
The emphasis is on protection of the rights and freedoms of the data subjects. Any breach that is likely to attract media interest should be reported to the ICO at the very earliest opportunity.
Potts concluded by reminding organisations that, although not covered specifically by the GDPR, in the event of a reportable breach they may have a legislative duty to inform other statutory bodies such as the CQC or if they are OES (operators of essential services) or an RSDPs (relevant digital service providers); under the Network and Information Systems Regulations 2018, they will need to report the breach to relevant regulatory body.
It’s worth adding that your investigation can – and probably should – continue beyond the notification deadline.
More information will come to light as you analyse what went wrong and speak to those involved, and you can provide those details to the ICO where necessary.
What happens after you report an incident?
Once you’ve informed the ICO of the incident, you’ll receive an automatic email to confirm receipt of your disclosure.
The incident will then go into a list of active cases that the ICO will look into to in due course. You will generally hear back quite quickly if the investigators are happy with your actions.
If the ICO suspects a GDPR violation, however, it may begin a formal investigation. These can take several months to complete, thanks to a backlog in cases and the back-and-forth nature of providing documentation and talking to relevant employees. In the event that the breach constitutes a criminal offence, they may instigate a criminal investigation.
That said, the ICO are likely to prioritise the case if the incident involves a serious breach affecting a lot of data subjects or is likely to attract media attention.
We’ve seen this already with July 2019’s ruling on Marriott International’s massive data breach. The breach was disclosed in November 2018, and the ICO came back with a verdict just over seven months later, announcing its intention to fine the hotel chain £99 million.
What happens if you don’t report an incident?
Failing to report an incident is a violation of the GDPR and is punishable by a fine.
That doesn’t mean you should expect a barrage of financial penalties, though. The ICO has repeatedly said that fines will be a last resort and only issued for egregious or repeat offences.
That’s not to say failure to notify won’t come with any form of penalty.
The ICO can discipline organisations in other ways, such as enforcement actions and audits.
If this happens, your compliance measures will be scrutinised, weaknesses will be flagged and you’ll be required to make the appropriate changes.
Some organisations have criticised this approach, saying that the data breach should be punishment enough.
However, Information Commissioner Elizabeth Denham insists that the ICO’s response measures aren’t punishments.
“The law is designed to push companies and public bodies to step up their ability to detect and deter breaches,” she said.
“What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.”
She added: “We understand that there will [still] be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.”
Quickly respond to a data breach in line with the GDPR’s requirements
Identifying a data breach under the GDPR – who has been affected, how extensive it is and how it happened – within 72 hours can pose a challenge for any business.
With the threat of a data breach becoming increasingly imminent, it’s vital that your organisation is prepared to respond in a crisis.
Our GDPR Data Breach Support Service provides everything you need to comply with the GDPR’s data breach reporting requirements, all in one place, at a fixed cost.
A version of this blog was originally published on 24 October 2018.