Under the General Data Protection Regulation (2016/679), a Data Controller is under a strict obligation to report a GDPR breach to the Information Commissioner's Office (ICO) in the event that it meets certain requirements.
Time frame for reporting
You must report a personal data breach, under Article 33, without undue delay and not later than 72 hours after becoming aware of the breach. However, what does becoming aware mean? The Article 29 Working Party Guidance considers awareness being at the point where you have a reasonable degree of certainty that a security incident has happened, thereby compromising the personal data. However, GDPR expects that you will have the appropriate technical and organisational measures to allow you to identify immediately whether a breach has taken place. However, the nature of certain breaches will make it more complex to establish whether personal data has been compromised.
What is a personal data breach?
A personal data breach is the instance of a security breach which has caused the "accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data." Therefore, personal data breaches are not just in the event of a ransom attack by hackers, it can also be an accidental deletion of data.
I've got a breach. What next?
If you have identified that your organisation has had a breach, you need to establish if you are required to report the breach to the ICO. Notification to the ICO is triggered if the breach is likely to result in a risk to the rights and freedoms of natural persons. The ICO appreciates that you may not be aware or be in a position to provide all the required information within 72 hours of becoming aware of the breach. As such, you can provide phased details after further investigation so long as it is without further undue delay. The guidance currently published suggests that you should at a minimum provide the following details:
- Nature of the breach (including an approximate number of data subjects affected)
- Contact details of the point of contact or, where applicable, your data protection officer
- Likely consequences of a breach
- What is being (or planning to be) done to mitigate any impact of a data breach
Where you need to provide information in a phased approach, you should still include this information in your first contact with the ICO. It is possible also to update your report/ notification to the ICO if required. For example, you have a flash drive with customer bank details, phone numbers and addresses that appear to have been misplaced. Due to the risk it poses to the affected individuals, you should notify the ICO. However, should you discover the flash drive misfiled in one of your files a couple of days later, you would request your report to ICO be updated accordingly.
I've reported to the ICO, do I need to tell anyone else?
You need to notify affected individuals in the event that the breach is likely to result in a high risk to the rights and freedoms of these individuals. Under the GDPR, whilst there is no timescale for notifying individuals, you must still notify those individuals directly without undue delay. In assessing the GDPR breach, you need to determine the potential or actual impact to affected individuals. There are good examples on the ICO's website.
It should be noted that even if you do not need to notify the affected individual, this still does not negate the requirement to notify the ICO. The ICO does have the power to compel notification to individuals where there is a high risk to the individuals' rights and freedoms.
Accountability: so I didn't report? What now?
The GDPR, under Article 33(5), requires you to record all breaches even if you have not notified the ICO. The document or "register of breaches" should "show your working" (as if you were in a mathematics exam), detailing your practices/processes as to why you have or have not reported the breach (to both the ICO and affected individuals), including what steps you took to mitigate any risk from materialising.
If you have any questions about the process of reporting breaches, or any wider question in respect of the GDPR, please do not hesitate to contact our experienced team.