We are often asked by clients how to determine whether a breach is reportable to the supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation. and/or a data subjectAn individual who can be identified or is identifiable from data. or if it should simply be recorded in the Data Breach Register.
The GDPR introduces a duty on all establishments to report personal dataInformation which relates to an identified or identifiable natural person. breaches to the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.), where they are likely to pose a risk to data subjects. This report must take place within 72 hours of the Data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data. becoming aware of the breach, where feasible.
The Data Controller also has additional obligations to report the breach to data subjects, without undue delay, if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms.
Historically, breach reporting has been optional with no obligation to tell the ICO, although major breaches had increasingly been reported voluntarily.
The ICO revealed it has been receiving 500 reports by per week since GDPR came into force, a third of which are considered to be unnecessary or fail to meet the threshold for a data breach.
The annual report figures state that in 2016/17 the breaches reported totalled 2,565. This jumped to 1,792 in June 2018 alone. Clearly there is a significant degree of over-reporting happening and it seems to be increasing.
It is therefore quite important to fully assess the breach in its entirety and establish a systematic processA series of actions or steps taken in order to achieve a particular end. that can be followed so that reportability is appropriately identified.
The steps to take are as follows:
STEP ONE – What is a ‘data breach’?
The first step in deciding whether a reportable data breach has occurred involves considering whether there has been a data breach.
A personal data breachAn incident which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data. is defined under the Regulation as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
UNAUTHORISED ACCESS | UNAUTHORISED DISCLOSURE | LOSS |
---|---|---|
Occurs when personal data is accessed by someone who is not permitted to have access – unauthorised access by an employee, contractor or third party. |
Occurs when personal data is made accessible or visible to third parties and that information is released from the establishment’s effective control in a way that is not permitted. |
Occurs when there is accidental or inadvertent loss of personal information held by an establishment, in circumstances where is it is likely to result in unauthorised access or disclosure. Example: -An employee leaves folders containing personal information on a train. |
STEP TWO – Is serious harm likely?
The second step involves deciding whether, from the perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach.
‘Serious harm’ is not defined in the GDPR. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
Establishments should assess the risk of serious harm holistically, having regard to the likelihood of the harm to data subjects and the consequences of the harm.
The relevant matters with which to assess the likelihood of serious harm are, broadly:
1. Circumstances of the data breach: Relevant considerations in this regard are;
2. Nature of the harm that may result from the data breach: In assessing the risk of serious harm, it would be very helpful to consider possible consequences of such a breach and the likelihood of each consequence occurring.
Examples are:
STEP THREE: Risk Assessment
A formal risk assessment should be carried out to assess the above broad categories in detail and enable cohesiveness for every breach assessment done.
It is expected that this should be done without undue delay.
Where the low or medium level of harm or risk is identified, that data breach is to be recorded in the establishment’s Data Breach Register. (Samples breach registers can be found in the DPO Centre Policy Toolkit)
But where a high or serious level of serious harm/risk to a data subject is identified, it should entail reporting the data breach to the ICO and to the affected data subject(s), bearing in mind the stipulated 72-hour time frame to report.
Through our work with over 250 organisations, The DPO Centre’s team of experienced DPOs can provide the necessary advice, guidance and model documentation required to ensure timely and appropriate assistance in assessing and handling data breaches. For further information on how we can assist your organisation, please contact us.