Data Protection Law
The UK GDPR imposes a duty on all organisations that process personal data to report certain personal data breaches to the relevant supervisory authority.
Further, organisations must inform individuals about a breach if it is likely to result in a high risk of adversely affecting individuals’ rights and freedoms.
Organisations must also ensure that they have breach detection, investigation and internal reporting procedures in place. This is in order to inform decision-making about whether or not the relevant supervisory authority and affected individuals must be informed.
Defining personal data breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alternation, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of either accidental or deliberate causes.
In October 2022, the construction firm Interserve (now Tilbury Douglas) was fined £4.4 million following a phishing attack on an employee. The employee, who opened the malicious files whilst working from home (and therefore not protected by Interserve’s anti-virus system), gave hackers access to the personal data of 133,000 Interserve employees.
Accidental personal data breaches are typically simpler: a member of an employer’s HR team accidentally sending an email to the wrong recipient, for example.
How should an organisation prepare for a personal data breach?
Preparedness begins with an organisation knowing how to recognise a personal breach. As above, it is not simply a matter of potential loss or theft of personal data.
To fully understand the scope for potential breaches, organisations must have awareness of all the personal data that it processes – and how that personal data is managed. With the potential scope of a personal data breach in mind, organisations can do the following to increase readiness:
- employee training: the ICO strongly advises that all employees understands how to identify potential risks of a personal data breach, how to identify them, and how to properly escalate any concerns. Training is part of the ICO’s data ‘Accountability Framework’ to demonstrate compliance with the UK GDPR/DPA 2018.
- testing: an organisation’s IT providers can carry out fake attempts to compromise computer systems.
- consulting external advisors: there are specialists that can be consulted to minimise the risks of a personal data breach.
- data Protection Impact Assessment (DPIA): where processing carries high risks to individuals (i.e in the event of a personal data breach), organisations can carry out a DPIA to assess and think through the risks. This can inform risk mitigation strategies.
Organisations must also have a prepared response plan in the case of personal data breaches, allocating responsibility for managing breaches to a dedicated person or team.
Responding to a personal data breach
In the event that a personal data breach occurs, an organisation’s response, from a UK GDPR perspecitve can be broken down into three actions:
- risk assessment: an organisation must have a process in place to access the (1) scale of the personal data breach and (2) the likelihood that individuals’ rights and freedoms would be adversely affected.
- informing the ICO: organisations must consider whether to inform the ICO.
- informing individuals: organisations must consider whether to notify the individuals whose personal data has been compromised.
Risk-assessing data breaches
The ICO states that whenever a security incident takes place, you should quickly establish whether a personal data breach has occurred and if it has, takes steps to resolve it. Resolution is not just stopping the breach, but also minimising the effect on the individuals, investigating its occurrence, and ensuring that the breach does not happen again.
Risk, in the context of breach reporting, is on the potential negative consequences for individuals. Potential negative consequences include emotional distress, and physical and material damage. Other personal data breach consequences include the possibility that those who need data to do their job will not be able to.
Data breaches can also affect the ability of organisations to process personal data. Ransomware, for example, locks systems until a ransom is paid. This restricts the data subject’s rights over their own personal data – they would not be able to request erasure of data locked by ransomware. This is a further type of risk that must be considered by organisations.
When should individuals be informed about a breach?
The UK GDPR states that individuals must be notified about breaches if the breach is likely to result in a high risk to their rights and freedoms of the data subject. There must not be any undue delay.
The assessment of risk will be on a case by case basis. Organisations must look at the amount of data compromised, the type (e.g whether or not it is special category personal data), and how long it was before the breach was identified.
It may be tricky to understand exactly what to tell those who have had breaches to their personal data. Generally however, they must be told:
- about the nature of the personal breach;
- the name and contact details of any protection officer you have, or other contact point where information can be obtained;
- any potential risks that have been identified as a result of the data breach; and
- a description of the measures taken or measures that will be taken to deal with the breach.
It may also be useful to give any relevant advice to individuals on the steps they can take to protect themselves from the potential risks you have identified, and how you can help them with this. Protection may include a password reset, advising individuals to use strong, unique passwords, or telling them to look for any fraudulent activity in their bank or other personal account.
Notifying the ICO
The likelihood of the risk to the rights and freedoms of individuals must be established when a personal data breach occurs.
If the risk is likely, the ICO must be notified. You do not always need to notify the ICO of the risk, especially if it is low-risk.
The initial correspondence to the ICO reporting the breach should include:
- the nature of the breach (categories and number of people affected; amount of data compromise);
- name and contact details of the DPO;
- likely consequences of the personal data breach; and
- how the organisation has dealt with or intends to deal with the breach, including any mitigation that can be taken in the future.
Note that if the organisation decides not to report the breach, they must be able to justify this decision, therefore the decision should be documented.
A notifiable breach must be reported to the ICO without undue delay, and no later than 72 hours after becoming aware of it.
If the organisation takes longer than 72 hours, they must give reasons why this is the case.
Organisations must also record all breaches, regardless of whether or not they need to be reported to the ICO. This made clear by Article 33(5) of the UK GDPR, which says that you must document the facts regarding the breach, its effects and the remedial action taken. Recording breaches and the necessary information ensures compliance with the UK GDPR, as well as accountability and transparency.
Failure to inform
If an organisation fails to notify and inform the ICO of a personal data breach when they are required to do so, they may be heavily fined.
The fine can extend to up to £8.7 million or 2% of the organisation’s global turnover.
However, in order to avoid having to notify the ICO, it is essential that an organisation takes effective measures to prevent any data breaches from occurring.
If you have any question on the above or you need support with data protection compliance more generally please contact us here.