How to report data breaches?

Background

The European Data Protection Board (EDPB) has adopted new guidelines (the Guidelines) to help data controllers to respond to personal data breaches and what factors to consider during risk assessment. These supplement previous guidelines published in October 2017 and include practice-oriented guidance and case-studies based on the experiences gained by the supervisory authorities in dealing with data breach notifications.

Although the UK is no longer a member of the European Union, the GDPR has been incorporated into UK Law and Information Commissioner’s Office (ICO) has confirmed that while the EDPB guidelines are not binding under the UK data protection regime, they may still offer useful guidance for UK-based organisations.

Personal data breaches

A personal data breach is defined under the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Personal data breaches can obviously have significant adverse effects on individuals, including among other things discrimination, identity theft or fraud, financial loss and damage to reputation.

Controller notification obligations

Due to the potentially serious consequences of personal data breaches, it is very important that controllers evaluate the risks of data breach and implement appropriate technical and organisation measures to address them.

Therefore, in accordance with the requirements of the GDPR, controllers must:

• document any personal data breach, comprising the facts relating to the breach, its effects and any remedial action taken.
• notify the personal data breach to the supervisory authority (such as the ICO in the UK), unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
• communicate the personal data breach to the data subject when the breach is likely to result in a high risk to the rights and freedoms of natural persons.

Controllers should assess whether any breach is likely to result in a risk to the rights and freedoms of a data subject at the time they become aware of the breach. They should not delay assessing the risk and deciding whether to report it on the basis that they are waiting for a detailed forensic examination and/or are seeking to take early mitigation steps.

However, where a controller assesses the risk to be unlikely, but subsequently the risk materialises, the supervisory authority can use its corrective powers and/or sanctions.

Considerations

Controllers are therefore advised to make use of the new guidance published by the EDPB, which provides numerous case-studies relating to various categories of breaches to help organisations understand their obligations in relation to data breaches and what should be considered during risk assessment. These cover data breaches such as ransomware attacks, website attacks, accidental breaches caused by human error, deliberate breaches by former employees, lost or stolen devices and paper records, mispostal and social engineering.

An organisation should be aware of the different types of breaches which could occur, and have appropriate plans and procedures in place for handling personal data breaches. This can include training of employees on data protection issues, which should be kept up to date, and a handbook that enables employees to understand what their obligations are in the event of a data breach.

The full guidance can be accessed via this link. If you have any questions about the issues raised in this article, or on GDPR compliance generally, please do not hesitate to contact us by emailing [email protected].