How to Recognise Data Breaches – Reportable vs Recordable

We are often asked by clients how to determine whether a breach is reportable to the supervisory authority and/or a data subject or if it should simply be recorded in the Data Breach Register.

The GDPR introduces a duty on all establishments to report personal data breaches to the Information Commissioner’s Office (ICO), where they are likely to pose a risk to data subjects. This report must take place within 72 hours of the Data controller becoming aware of the breach, where feasible.

The Data Controller also has additional obligations to report the breach to data subjects, without undue delay, if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms.

Historically, breach reporting has been optional with no obligation to tell the ICO, although major breaches had increasingly been reported voluntarily.

The ICO revealed it has been receiving 500 reports by per week since GDPR came into force, a third of which are considered to be unnecessary or fail to meet the threshold for a data breach.

The annual report figures state that in 2016/17 the breaches reported totalled 2,565. This jumped to 1,792 in June 2018 alone. Clearly there is a significant degree of over-reporting happening and it seems to be increasing.

It is therefore quite important to fully assess the breach in its entirety and establish a systematic process that can be followed so that reportability is appropriately identified.

The steps to take are as follows:

STEP ONE – What is a ‘data breach’?

The first step in deciding whether a reportable data breach has occurred involves considering whether there has been a data breach.

A personal data breach is defined under the Regulation as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

 

UNAUTHORISED ACCESS	UNAUTHORISED DISCLOSURE	LOSS
Occurs when personal data is accessed by someone who is not permitted to have access – unauthorised access by an employee, contractor or third party. Example: -a computer network being compromised by an external attacker resulting in personal information being accessed without authority.	Occurs when personal data is made accessible or visible to third parties and that information is released from the establishment’s effective control in a way that is not permitted. Example: -an employee accidentally publishes a confidential data file containing the personal information of one or more individuals on the internet.	Occurs when there is accidental or inadvertent loss of personal information held by an establishment, in circumstances where is it is likely to result in unauthorised access or disclosure. Example: -An employee leaves folders containing personal information on a train.

STEP TWO – Is serious harm likely?

The second step involves deciding whether, from the perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach.

‘Serious harm’ is not defined in the GDPR. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

Establishments should assess the risk of serious harm holistically, having regard to the likelihood of the harm to data subjects and the consequences of the harm.

The relevant matters with which to assess the likelihood of serious harm are, broadly:

 

1. Circumstances of the data breach: Relevant considerations in this regard are;

• Whether the breach was malicious or inadvertent: where a third party appears to target the personal data of a particular individual or group of individuals, this may increase the risk of serious harm as it may be more likely the data is intended for malicious purposes.
• How long the breach has been accessible: the longer the access period the higher the chance of serious harm.
• Volume of personal data involved: the more personal data involved in a breach increases the chances of identification of data subjects and thus higher risk of serious harm.
• Type of personal data involved – Information about an individual’s health or finances could cause serious harm if compromised.
• Data subjects affected – If the information involved primarily relates to individuals known to be vulnerable, this may increase the risk of serious harm.
• Number of data subjects –Where a large number of individual’s are affected by a data breach, even if the type of personal data itself is not high risk in itself (such as names and addresses), if more data subjects are involved in the breach, it may be more likely that at least some of the individuals will experience serious harm.
• What parties have gained access to the personal data – where a third party who accessed the personal data is known to be of a criminal persuasion, the risk of serious harm would be very high.

 

2. Nature of the harm that may result from the data breach: In assessing the risk of serious harm, it would be very helpful to consider possible consequences of such a breach and the likelihood of each consequence occurring.

Examples are:

• Workplace or social bullying or marginalisation
• Financial loss to the data subject
• Loss of business or employment opportunities
• Identity theft
• Humiliation
• Damage to relationships

STEP THREE: Risk Assessment

A formal risk assessment should be carried out to assess the above broad categories in detail and enable cohesiveness for every breach assessment done.

It is expected that this should be done without undue delay.

Where the low or medium level of harm or risk is identified, that data breach is to be recorded in the establishment’s Data Breach Register. (Samples breach registers can be found in the DPO Centre Policy Toolkit)

But where a high or serious level of serious harm/risk to a data subject is identified, it should entail reporting the data breach to the ICO and to the affected data subject(s), bearing in mind the stipulated 72-hour timeframe to report.

Through our work with over 250 organisations, The DPO Centre’s team of experienced DPOs can provide the necessary advice, guidance and model documentation required to ensure timely and appropriate assistance in assessing and handling data breaches. For further information on how we can assist your organisation, please contact us.