Data breaches are another area where there seems to be a lot of confusion about exactly what the GDPR means, but there is good clarification already on the Information Commissioner's Office (ICO) website
When do you have to report a data breach under the GDPR?
The GDPR does not introduce a blanket requirement to notify supervisory organisations and individuals affected by the breach, the situation is more nuanced than that.
Article 33 states the following:
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
That's not massively helpful in truth, the 'result in a risk to the rights and freedoms of natural persons' part is pretty fuzzy. Thankfully, Recital 85 provides more detail of what constitutes these risks, namely:
physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
The ICO Website then adds a couple of really useful examples that further flesh this out:
For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.
There's more consideration of this in the next section:
What constitutes a personal data breach under GDPR?
When most people hear 'data breach' they think of USB sticks dropped in taxis or hacked websites. However, that's far from the full scope of what the GDPR considers a 'personal data breach'. Article 4(12) identifies it as follows:
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Examples of the sorts of things that could be considered breaches under that definition are:
- A fire that causes paper records to be lost, if the only copy of the data is held on paper
- An accidentally erased hard drive that contains the only copy of the individual's data and where no backup exists
- An accidental update of a database that leads to incorrect data being written to individuals' records
- Accidentally emailing a list of customer bank account details to the wrong person (or really, emailing that data at all, no matter who it was sent to)
- A hacker accessing your computer network and taking customer data
- A malicious, incompetent or untrained member of staff introducing errors into personal data stored about individuals, or deleting records
- A malicious member of staff copying customer data and selling that data to a third party.
- And many, many other things
However, not all of the scenarios in the above list would necessarily require notification of the breach to be made, each case would need to be assessed individually to see if one of the criteria for reporting in Article 85 had actually been met.
It's possible that even something as serious as a data hack might not require reporting if it could be incontrovertibly proved that the data taken had subsequently been deleted before it was accessed or distributed.
Encryption and anonymization can remove the need to report a breach to the individual.
Article 34(3a) includes a very important proviso that removes the requirement to inform individuals about a breach of their personal data when:
the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
There are two forms of encryption to consider here:
- Encryption of the physical medium the data is stored on, such as a computer's hard drive or the memory chips in a smartphone
- Encryption of the actual data itself
This distinction is important. If a computer was stolen, and that computer was locked and had an encrypted hard drive then the requirement to report the breach would be removed.
However, if that computer was hacked into, and the database was stolen, then the hard drive's encryption has no effect, because the hacker will be seeing the unencrypted data from the hard drive in the same way you do. In this case, you would need the personal data in the database itself (or more accurately the parts of the data that make a record uniquely identifiable to an individual) to be encrypted, so that when the hacker looked at the database they would not be able to identify the individuals contained within the data.
Encryption is relatively cheap nowadays and built into modern operating systems and most hardware, so it's a no-brainer to make sure it's in use within your organisation.
The other way to avoid data breaches is to ensure that as few items as possible include personal data that fulfils the criteria that trigger reporting. Many organisations have large catch all reports they use for things like sales reporting. Those reports often include columns for all the data you hold on a person, but does the sales report really need to include the person's date of birth and address? If you remove that data and then a copy of the sales report is lost then it's quite possible no notification would be required.
Of course, the very best way to avoid a breach of personal data is just not to have the personal data in the first place.
How quickly do I have to report a breach
If you have a breach that requires reporting, then you are usually obliged to notify the supervisory organisation within 72 hours and individuals affected by the breach without undue delay.
If it’s impossible to notify those involved directly (because for example the data has been irrecoverably lost), then you must make a public notification that those involved will see (think press releases, alerting the media and adverts in newspapers and trade journals).
What happens if I don't report a personal data breach?
The ICO is likely to look unkindly upon organisations that are aware of data breaches that require notification but do not report them. The maximum fine for not reporting a known breach is £10 million Euros, or 2% of your global turnover for the last 12 months, whichever is the greater.