Picture the scene: It’s 4pm on a Friday and, as the final minutes of the working day tick away, you receive a panicked call from the accounts department informing you that the company pay slips have vanished. Fantastic – names, national insurance numbers and financial details of 300 members of staff missing, presumed stolen. Just what you need. Fearing the worst, you contact the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) immediately to report a data breach.
Just before you log off, and as you begin to contemplate which Netflix show to binge this evening, the accounts team call you back. The pay slips had just fallen down the side of someone’s desk and were not lost after all.
Now, the above scenario is clearly an avoidable one. Diligent data professionals will, upon being made aware of such an incident, investigate to first establish whether it is reasonably likely that a breach has occurred. The scenario does, however, resemble an actual ‘data breach’, reported to the ICO shortly after the GDPR came into force in 2018.
Almost three years on, and the latest UK Data Protection Index findings indicate that the data protection industry still craves greater clarity when it comes to reporting breaches, revealing that 84% of respondents agree that there should be more specific expectations around breach notification and that the definition of ’becoming aware’ of a data breach needs to be clarified.
Existing guidance
Article 33 of the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. states that data controllers must notify the ICO of personal dataInformation which relates to an identified or identifiable natural person. breaches without undue delay and within 72 hours of becoming aware of it, unless it is unlikely to result in a risk to the rights and freedoms of data subjects. Recital 87 adds that data controllers should quickly establish whether a security incident constitutes a data breach and promptly take steps to address it, reporting to the ICO if required.
For its part, the ICO states that controllers need to assess breaches on a case-by-case basis, looking at all relevant factors. Other than some webinars and general comment, the ICO has scarcely updated its position since the GDPR came into force. At the time of writing, it still refers to Article 29 Working Party (Art. 29 WP) guidance from 2017, guidance that explains that when it comes to ‘becoming aware of a breach’, the controller must have a reasonable degree of certainty that a security incident that has led to personal data being compromised has occurred.
Whilst this guidance may be a good starting point, it has been proven to be difficult to apply in practice. Given that the 72-hour clock does not stop ticking for weekends or even bank holidays, it is therefore perhaps understandable that some data controllers may hit the panic button – or perhaps, upon discovering a breach at 4pm on a Friday, would rather report a breach for the avoidance of doubt and enjoy their weekend.
New EDPB guidance
Fortunately, the body that superseded the Art. 29 WP, the European Data Protection Board (EDPB), has just released additional guidance as of January 2021, “to help data controllers in deciding how to handle data breaches”, which, in theory, could go some way towards satisfying the appetite of the Data Protection Index participants.
The new guidance, which is intended to be read alongside the 2017 material, refers to eighteen fictitious cases, based on the collective experiences of supervisory authorities across the EEA.
For each case study, there is guidance on prior measures that can be taken to reduce the likelihood of the breach occurring in the first place and advice on risk assessment and mitigation measures should the breach occur. Additionally, and perhaps most importantly, each breach is assigned a verdict:
Worth the wait?
Given the wide-ranging meaning attributed to the term ‘data breach’ – essentially anything that can compromise the confidentiality, integrity or availability of someone’s personal data – this guidance will no doubt be welcomed both by those with and without expert data protection knowledge.
Nevertheless, the examples chosen – loss of encrypted devices, ransomware attacks, employees exfiltrating data – and therefore some of the resulting advice, could appear somewhat obvious to those within the industry. If you play along and attempt to guess the verdict for each case study as you go (oh the fun us data professionals have), chances are you will be correct each time.
The problem is that it is not the obvious, but the borderline cases – where the assessment of harm to an individual is more subjective, where the risk is different depending on whom you ask, where the amount of data involved is not small, but not large – that keep a DPO up at night. Therefore, although the common examples are useful, the new guidance may leave some data professionals wanting. Furthermore, even with the guidance data controllers may still be forced to take some ‘educated guesses’ whilst hoping that their risk assessments meet ICO expectations.
Processor due diligence
Another important factor to consider when looking at breaches is the role of data processors. If a data processorA third party processing personal data on behalf of a data controller. becomes aware of a data breach then it is obliged to notify the controller without undue delay. This obligation supposedly applies to ‘all’ breaches, however, are controllers and processors doing enough to ensure this is being done?
According to the UK Data Protection Index findings, 81% of DPOs agree or strongly agree that more due diligence should be introduced between controllers and processors. It seems to us that an approach to managing data breaches should certainly be part of that.
We suggest that these questions, and others besides, should all be answered prior to a controller entering into an agreement with a processor.
It is also worth mentioning that the EDPB guidance states that processors are able to notify a supervisory authority about a breach on behalf of the controller, but only if the controller has given authorisation for this within the controller-processor agreement. This is something that controllers should consider, however, it must be remembered that regardless of whether processors are authorised to report breaches, the legal responsibility to notify ultimately lays with the controller.
Conclusion
Whether processors are involved in the reporting or not, since the GDPR’s inception, the number of data breaches reported in the UK has tripled, according to the ICO’s last Annual Report from 2019-2020. The majority of these breaches led to no action required by the data controllers involved. Whilst this suggests greater guidance is required to prevent overreporting, there is also a realistic chance that some more significant breaches have slipped through the gaps.
Until further guidance comes from the ICO, the EDPB guidance will no doubt be relied upon by controllers and processors alike when putting together a strategy to manage data breaches. Of course, it may be worth including another key step in any such strategy – take a deep breath and look down the side of the desk first.
To read the EDPB’s new guidance on data breaches, click here.
Fill in your details below and we’ll get back to you as soon as possible