In the last year, there have been a number of high profile data protection breaches reported in the press, such as those involving Facebook and the supermarket, Morrison’s. This increased media interest in data protection, along with the more stringent requirements of the General Data Protection Regulation (GDPR), has upped the stakes when it comes to responding to a personal data breach.
One of the key new GDPR obligations is to report certain personal data breaches to the Information Commissioner’s Office (ICO) without undue delay (and within 72 hours, where feasible). With this in mind, we take a look at what to do when you learn of a personal data breach, with a focus on how to decide whether you must make a report to the ICO.
What is a personal data breach?
The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
This broad definition means that personal data breaches are very easy to commit. Common examples could include a misdirected work email containing an employee’s personal contact details, an external computer hack, or a stolen mobile phone. However, a breach may not always be as obvious as in those examples. For example, an employer providing an overly detailed occupational reference, which volunteers information that is irrelevant to the job in question such as details of the applicant’s health, could amount to a data breach.
Do all breaches need to be reported to the ICO?
No. You do not need to report personal data breaches to the ICO if they are unlikely to result in a risk to the rights and freedoms of individuals. A personal data breaches that is likely to result in such a risk must be reported to the ICO without undue delay (and, where feasible, within 72 hours of the controller becoming aware of it).
Since the GDPR came into force on 25 May 2018, the number of personal data breaches reported to the ICO has rocketed – from 367 in April, to 1,792 in June. This is not necessarily a sign that employers have mastered their new obligations to report personal data breaches: the ICO has indicated that many of these breach reports have been unnecessary or incomplete.
The European level guidance on breach reporting requirements provides some criteria that you can consider when assessing risk, to help you decide whether you need to report the breach to the ICO. These include: the type of breach; the nature, volume and sensitivity of the data in question; the severity of consequences for individuals and their vulnerability; and the number of people affected.
While some personal data breaches will be obviously reportable, such as breaches involving the loss or theft of special category data (e.g. health data), others will be more borderline. For example, where an employee loses a company mobile phone containing personal data, whether the company’s IT department can remotely disable the phone, and whether the data is encrypted and password protected, could make a difference when deciding whether it is necessary to report the loss to the ICO as a reportable personal data breach.
If you decide not to notify the ICO of a personal data breach, you must keep a clear record of your risk assessment in order to satisfy the requirement for accountability that applies under the GDPR. The inclusion of detailed reasoning will be particularly important where a case is borderline, or the assessment of the damage feels particularly subjective, as the ICO can demand to see your internal breach records in order to verify your compliance with your breach reporting obligations.
A word of caution…
It’s worth remembering that, while ICO communications frequently run with the headline: “You do not need to report every breach to the ICO”, in contrast, European guidance states equally clearly: “If in doubt, the controller should err on the side of caution and notify”.
What about the individuals affected by the breach?
As well as reporting to the ICO, where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must report the breach to affected individuals without undue delay. The only exceptions are where: you had applied appropriate technical and organisational protection measures to the data affected by the breach (e.g. leaked data was encrypted so should be unintelligible to anyone who does not have authority to access it); you have taken subsequent measures to ensure that the risk to individual rights is no longer likely to materialise; or communicating to each affected individual would involve disproportionate effort – in such cases, a public statement will be required instead. (In the employment context, you are probably unlikely to be able to rely on the ‘disproportionate effort’ exemption to avoid having to notify existing employees of a personal data breach, but you may possibly be able to do so in respect of ex-employees).
Breach reporting procedure
We strongly recommend that companies have breach reporting procedures in place, to ensure that they are able to identify and respond appropriately to all personal data breaches. Such procedures should include clear internal guidelines for assessing when to report breaches to the ICO and to the individuals concerned.
Managing the fall-out from a personal data breach
As well as assessing whether a breach is reportable, once you become aware of a breach, you will immediately need to consider how to limit any potential adverse effects on the individuals whose data has been compromised, as well as any damage, including reputational damage, to the company. Depending on the nature of the breach, you may also be facing enforcement action by the ICO.
The next step is to consider what action is needed to reduce the risk of a similar breach happening again. However, the reality is that not all breaches can be prevented. In the Morrison’s case, the Court of Appeal is reported to have found the supermarket to be vicariously liable for the actions of one of its employees who publicised the personal data of staff, even though that employee committed a criminal offence by doing this and there appears to have been little the supermarket could have done to prevent it.
How we can help
Our upcoming national seminar, Practical GDPR for HR Professionals: what will change in your day job?, includes a practical session on what to do when a GDPR breach occurs, based on our first-hand experience of advising companies who have discovered a personal data breach within their organisation. The seminar materials include a guidance note explaining the necessary procedures that employees with responsibility for data protection must follow as soon as they have been alerted to a breach or suspected breach. Click here to see the full programme and to book.
Our Data Protection consultancy team have the people, skills, insights and experience to support you in your GDPR journey. From your own business wide Virtual Data Protection Officer or dedicated Data Protection Advice Line to e-learning packages for your workforce and general HR or business wide support, we've got it covered.
For more information, speak to your EEF adviser, email HRenquire@eef.org.uk or call 0808 168 5874.