What is a Personal Data Breach?
The General Data Protection Regulation (GDPR), Article 4 (12), defines a personal data breach as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.’
Examples of a Personal Data Breach
From the definition above, there are a variety of different ways a personal data breach can occur. Possible examples of breaches include:
- * Sending personal data to an incorrect recipient
- * Alteration of personal data without permission
- * Losing the availability of personal data
- * Access by an unauthorised third party
A personal data breach is broadly a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
Recital 87 of the GDPR makes clear that when a security incident takes place, you should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required.
When a breach occurs
Employee’s have a responsibility to follow their internal policies and procedures which should include how to recognise, report and manage a suspected or confirmed personal data breach. If a suspected personal data breach has occurred, you must establish the likelihood and severity of the resulting risk to people’s rights and freedoms. When assessing the risk, you must focus on the negative consequences for the individual (Data Subject). If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.
Notifying the ICO
Either the employee assigned to handling data protection within your organisation or the Data Protection Officer will notify the ICO of a breach. Article 33 (1) states that a Data Controller must report a breach with undue delay and where feasible, up to 72 hours after becoming aware of it.
When reporting a breach to the ICO, GDPR Article 33 (3) indicates you must provide:
- A description of the nature of the personal data breach
- The name and contact details of the DPO or other contact point where more information can be obtained
- A description of likely consequences of the breach
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
Notifying the Data Subject
If a breach is likely to result in a ‘high risk’ to the rights and freedoms of an individual, GDPR Article 34 (1) indicates that you must notify the affected Data Subjects without undue delay. In other words, this should take place as soon as possible.
When informing an individual of a breach, you must ensure that the nature of the breach is described in clear and plain language, and must contain the same information in which is supplied to the ICO as above.
A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO. Again, you will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. In such cases, you will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.
Failure to Notify
Under GDPR Article 58, the ICO have the corrective powers and authority to issue fines to organisations who don’t comply with notifying appropriately regarding a personal data breach. Currently you can be fined up to the higher of 10 million euros or 2% of global turnover so it’s important to make sure you have a robust breach reporting process in place to ensure you detect and can notify a breach, on time; and to provide the necessary details.
If you would like support in review or testing of internal processes or even creating internal processes and a robust reporting framework in relation to personal data breaches, please contact us on 0800 999 5550 or email me at firstname.lastname@example.org.
Jack Griffiths – Assistant Data Protection Advisor.