In her third blog for us, Nicole Thompson covers the important area of data breaches and the related changes that will come into force with the new GDPR in May 2018.
This is an area that will change significantly when GDPR comes into force in May 2018. Businesses will only have a relatively short period of time to:
- investigate personal data breaches, and
- decide whether it’s necessary to report the breach to the ICO and, in some cases, to their customers.
What constitutes a personal data breach?
A data breach is defined as a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Therefore, by implication, it’s a breach that is more than just losing personal data.
What type of breach will trigger a notification to the Information Commissioners Office (ICO)?
The ICO is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
You must notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. This means that if you do nothing, the result of the breach is likely to have a significant, detrimental effect on individuals – the ICO gives the following examples:
- result in discrimination,
- damage to reputation,
- financial loss,
- loss of confidentiality, or
- any other significant economic or social disadvantage.
This has to be decided on a case-by-case basis. A basic example is where a breach leaves an individual open to identity theft; where this happens you will need to notify the ICO. However, an example of when it may not be necessary to report a breach, is where there is a loss or inappropriate alteration of a staff contact list.
Notifying the ICO
Businesses have to report a notifiable breach to the ICO within 72 hours of becoming aware of it. If it is a serious breach that warrants notification to the public, you must do so without undue delay.
This gives a very short timeframe for a business to investigate and decide if it is a notifiable breach and, if it is, they will also have to notify their clients. If you do not have an action plan to deal with this scenario, your business will be at a disadvantage and you may face an ICO fine.
Fines for failure to comply with this requirement can be substantial.
New levels of financial punishment for non-compliance are:
- €10m or 2% of global turnover/the preceding financial year, whichever is the higher (in extreme cases).
You should ensure that you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making regarding whether or not you need to notify the relevant supervisory authority and the affected individuals.
You must also keep a record of any personal data breaches, regardless of whether you are required to notify or not.
When do individuals have to be notified?
You have to notify individuals directly where a breach is likely to result in a high risk to their rights and freedoms.
NB: there is a difference in the threshold of when you need to inform an individual versus when you need to inform the ICO. The use of the term ‘high risk’ means the threshold for notifying individuals is higher than for notifying the ICO.
Details of a breach notification
The notification should include the following information:
- The nature of the personal data breach including, where possible:
- the categories and approximate number of individuals concerned, and
- the categories and approximate number of personal data records concerned
- The name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained,
- A description of the likely consequences of the personal data breach, and
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.
Preparing for a personal data breach?
As a minimum, you should:
- Train your staff on what constitutes a data breach for notification purposes, and that this is more than a loss of personal data,
- Create an internal breach reporting procedure. This will facilitate decision-making about whether you need to notify the ICO or the public – this will be discussed further in my training sessions being held at Digital Sparkles offices in February and March 2018.
A quick checklist may be:
☐ We know how to recognise a personal data breach.
☐ We understand that a personal data breach isn’t only about loss or theft of personal data.
☐ We have prepared a response plan for addressing any personal data breaches that occur.
☐ We have allocated responsibility for managing breaches to a dedicated person or team.
☐ Our staff know how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.
The content of this document has been written with best practices in mind, however this is not a substitute for taking legal advice on your circumstances. If you do require specific advice, get in touch with us and we’ll be happy to assist you.