What should I do if I discover a personal data breach?
December 12, 2018
When an organisation discovers a personal data breach it is hard not to catastrophize. It is well known and understood that the GDPR has introduced a mandatory breach reporting requirement, and with mandatory reporting comes regulatory, and often, media scrutiny.
Data controllers who become aware of personal data breaches (“PDB”s) must now consider whether the PDB gives rise to obligations to notify supervisory authorities and data subjects about the PDB.1 It is a common misconception that you must now report every PDB; this is not the case. What is necessary is to conduct an accurate and prompt assessment of the nature and circumstances of the PDB to determine whether notification is necessary. A proper, documented assessment of the PDB will enable you to avoid under, or over, notification to the supervisory authorities and data subjects of PDBs.
In order to remain on the right side of the law, data controllers and processors must, therefore, be clear on (1) what constitutes a PDB; and (2) when it is necessary to notify each of the relevant stakeholders outlined in the GDPR (as the threshold for notification varies for different stakeholders).
What is a personal data breach?
A PDB is a breach of security, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, transmitted, stored or otherwise processed. PDBs can be separated into the following categories:
- ‘Confidentiality breach’ - where there is an unauthorised or accidental disclosure of, or access to, personal data;
- ‘Integrity breach’ - where there is an unauthorised or accidental alteration of personal data; and
- ‘Availability breach’ - where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
The categories of a PDB are not mutually exclusive and a single PDB may encompass all three categories. Once data controllers have established or, as the case may be, been notified of, a PDB, in order to determine if the breach has crossed the “reporting threshold”, a data controller should assess whether the PDB has resulted in a “risk” to the rights and freedoms of individuals. The risk which is required to be assessed by the data controller is whether there could be physical, material or non-material damage to the individuals whose data has been affected by the PDB.
How do you assess the risks to rights and freedoms of natural persons?
A risk assessment will always be fact specific and should be objectively based upon the likelihood and severity of the potential impact occurring. If a PDB is likely to result in severe consequences for data subjects, such as identity fraud, or reveal sensitive information, which may result in reputational damage or less favourable treatment, this PDB will plainly require notification to both the supervisory authority and data subjects. Guidance by the Article 29 Working Party (“WP29”) recommends that, in undertaking an assessment of the risk, a data controller should consider the following factors:
- The type of breach - Whether the PDB is a confidentiality breach/integrity breach/availability breach;
- The nature, sensitivity and volume of personal data - Generally the more sensitive the type of data, the more likely and greater the risk of harm. Thought should be given by a data controller as to what the data may disclose about an individual;
- Ease of identification of individuals - Considerations, such as whether the data is encrypted or unencrypted, and whether identification may be directly or indirectly possible from the PDB;
- Severity of consequences for individuals - Depending on the nature of the personal data involved in a breach, greater harm may be caused. For example, whether it could lead to physical or psychological harm, and whether the data subject is particularly vulnerable;
- Special characteristics of the individual - A data breach may involve personal data concerning minors or particularly vulnerable individuals, thereby causing a greater risk of harm;
- Special characteristics of the data controller - Consider the nature of activities as a data controller. Do you process sensitive data by your nature?; and
- The number of affected individuals - A breach involving many individuals will generally have a greater impact.
When do I need to act?
Following a PDB, data controllers should act quickly. The “notification clock” starts running from the moment the data controller is made aware of the PDB. Furthermore, a failure to report a “reportable PDB” may result in the imposition of a separate sanction under the GDPR. Similarly, reporting a PDB that would otherwise be “unreportable” may lead to unnecessary scrutiny from a supervisory authority. The following table is a brief summary of when PDBs should be reported:
|Data controllers to report PDB||to the supervisory authority “without undue delay” and no later than 72 hours after becoming aware of the PDB, unless the PDB is unlikely to result in a risk to the rights and freedoms of individuals.|
|Data controllers to communicate PDBs||to the data subject “without undue delay”, where it is likely to result in a high risk to the rights and freedoms of individuals.|
|Data processors to notify||data controllers about PDBs “without undue delay”, but not to supervisory authorities nor individuals.|
In order to avoid adverse consequences, data controllers and processors should be clear upon, and act within, the ambit of their legal reporting obligations. The best response is a multi-disciplinary one; comprising a network of internal and external experts from different disciplines, including legal, forensics, cyber security and PR. Connecting these disciplines, which will enable you to assess the need to notify data controllers, determine the information contained in that notification and will enable you to move, with the necessary speed, to meet the legal and regulatory deadlines.
1In the case of a cross-border breach, notification must be made to the lead authority.