The first 72 hours after you discover a data breach are critical.
Why? The EU GDPR requires all organisations to report certain types of personal data breach to the relevant supervisory authority.
More specifically, Article 33 dictates that, in the event of a personal data breach, data controllers notify the appropriate supervisory authority without undue delay and, where, feasible, not later than 72 hours after having become aware of it.
But how do you report a data breach, and what are the potential repercussions for failing to comply with GDPR’s data breach notification requirements?
In this post, we explain everything you need to know.
What is a personal data breach?
The ICO defines a personal data breach as:
…a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Personal data breaches can include:
- Access by an unauthorised third party;
- Deliberate or accidental action (or inaction) by a controller or processor;
- Sending personal data to an incorrect recipient;
- Devices containing personal data being lost or stolen;
- Alteration of personal data without permission; and
- Loss of availability of personal data.
What data breaches need to be reported?
Data breaches only need to be reported if they “pose a risk to the rights and freedoms of natural living persons”.
This generally refers to the possibility of affected individuals facing economic or social damage (such as discrimination), reputational damage or financial losses.
Most breaches fit into this category, but not all of them. For example, if the information can’t be linked to a specific individual, there’s likely to be very little risk.
Whether you are required to notify or not, the GDPR mandates that you keep a record of all personal data breaches.
This make the response process a little simpler, as your initial response will be the same regardless of whether the breach needs to be reported.
You can focus on assessing the incident, containing the damage and documenting the steps you’ve taken. From there you can determine whether you need to report the incident.
Reporting a data breach
Data breach notifications need to be sent to your supervisory authority. For organisations in the UK, this is the ICO (Information Commissioner’s Office).
Your report must contain:
1) Situational analysis: You must provide as much context about the breach as possible. This includes the initial damage, how it affected your organisation, and what caused it.
2) Assessment of affected data: You’ll need to determine the categories of personal data that has been breached, and the number of records affected.
Recommended reading: GDPR: How the definition of personal data has changed
3) Description of the impact: Next, you’ll need to outline the consequences of the breach for affected parties. This will depend on the information that was compromised.
4) Report on staff training and awareness: If the breach was a result of human error, you’ll need to disclose whether or not the employee(s) involved received data protection training in the past two years. If they have, you should provide details of your staff awareness training programme.
5) Preventive measures and actions: Outline what (if any) preventative measures you had place before the breach occurred. You should also explain what steps have you taken, or plan to take, to mitigate the damage.
6) Oversight: Finally, you’ll need to provide the contact details of your DPO (data protection officer) or the person responsible for data protection.
The GDPR acknowledges that it will be hard to produce this much information within 72 hours.
You aren’t expected to provide comprehensive details, but it is important to get the process going as quickly as possible.
Your investigation will almost certainly continue beyond the notification deadline, and you can provide further information to the ICO when it becomes available.
What happens if you don’t report an incident?
Failing to report an incident is a violation of the GDPR and is punishable by a fine.
However, the ICO has repeatedly said that fines will be a last resort and only issued for egregious or repeat offences.
That’s not to say failure to notify won’t come with any form of penalty.
The ICO can discipline organisations in other ways, such as enforcement actions and audits.
If this happens, your compliance measures will be scrutinised, weaknesses will be flagged and you’ll be expected to make the appropriate changes.
Some organisations have criticised this approach, saying that the data breach should be punishment enough.
However, Information Commissioner Elizabeth Denham insists that the ICO’s response measures aren’t punishments.
“The law is designed to push companies and public bodies to step up their ability to detect and deter breaches,” she said.
“What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.”
She added: “We understand that there will [still] be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.”
Quickly respond to a data breach in line with the GDPR’s requirements.
Identifying a data breach under the GDPR – who has been affected, how extensive it is and how it happened – within 72 hours can pose a challenge for any business.
With the threat of a data breach becoming increasingly imminent, it’s vital that your organisation is prepared to respond in a crisis.
Our GDPR Data Breach Support Service provides everything you need to comply with the GDPR’s data breach reporting requirements, all in one place, at a fixed cost.
This blog has been updated to reflect industry updates. Originally published 24 October 2018.