The General Data Protection Regulation (GDPR) requires you to take “appropriate” measures to ensure that personal data processing is carried out in a secure way. This seems a very broadly-worded requirement, but it is not accidental. Every organisation is under a duty to think carefully about what’s appropriate for them, taking into account the risks to the rights and freedoms of individuals that a data breach might pose.
In addition, and for the first time, GDPR requires all data controllers to report certain types of data breaches to their national data regulator (in the UK it’s the ICO). You must also keep an internal record of all personal data breaches.
You might be wondering what exactly the lawmakers mean by a “personal data breach” as well as what should you do if you are hit by one. Decision makers need to be aware of how they can safeguard their organisation against breaches and stay on the right side of the regulator. If this sounds a lot like the things you have been asking yourself, then read on to find out more.
What constitutes a personal data breach under GDPR?
GDPR only concerns personal data. So, if it’s just your business accounts or intellectual property that are affected, these rules don’t apply. If it’s information that can identify a real person (e.g. customer or HR data), then the GDPR does apply.
A breach means loss, destruction, alteration, unauthorised disclosure or access to personal data. It could be deliberate or accidental. Some real-life examples include the following:
- Water damage to your warehouse leading to destruction of paper-based customer records
- An unauthorised login enabling someone from outside your organisation to access your CRM platform
- A systems failure leading to permanent loss of HR data spreadsheets
- A hacker unleashes a spyware packet, enabling them to access your entire data estate at will
- A departing manager ‘goes rogue’ and downloads your customer contact file before she leaves
What’s the difference between a data breach and a data leak?
In the eyes of the regulators, there is no difference between a data breach and a data leak. Some would argue that a data breach is a successful attack on data by an external, unauthorised entity, but that a data leak is the unauthorised or accidental transmission of data from inside an organisation to an external recipient. But the fact remains that they are as serious as each other, according to the ICO. Data leaks can happen physically and digitally, and most are unintentional. In fact human error accounted for 90% of reported data leaks in the UK in 2019, which can be as easy as sending an email or attachment to the wrong recipient.
What do I need to report?
You might be familiar with what constitutes a data breach, but still be uncertain about what you need to report. Here, we have outlined practical advice on what to do in the event of an incident occurring.
All personal data breaches must be recorded in an internal register of data breaches. For each breach, your internal record should answer these questions:
- What happened and when?
- How did it occur?
- What were the effects of the breach?
- What action did you take to remedy it?
Reporting breaches to the regulator
Under the GDPR, you are required to report a personal data breach to the regulator if it is likely to result in a “risk to the rights and freedoms of data subjects”. This includes the right to privacy (e.g. id and email).
You must report to the regulator “without undue delay”, and no later than 72 hours of becoming aware of the breach. The ICO has a helpline and standard notification procedure for this, which you can check out here.
There’s still some debate over what might and might not amount to a reportable breach under the above definition. What’s clear, however, is that it’s not how the breach occurred that determines whether you need to report it. Rather, it’s based on the risk to the individuals whose data is affected.
Let’s say your customer database becomes corrupted. Within a day, you are able to put a backup version into operation, and from your security event management system, you are satisfied that there has been no unauthorised access to that data. The rights and freedoms of data subjects have not been affected – so there’s no duty to report to the regulator (although you should still record it internally).
Meanwhile, an employee reports the suspected theft of a USB stick containing copy customer emails. It wasn’t password protected – and neither was the data encrypted. This almost certainly would be a reportable breach.
Informing the individuals affected
If the data breach is likely to result in a high risk to the rights and freedoms of individuals, you also need to notify those individuals. This includes telling them in clear and plain language what has happened, what it means, what you’re doing to put things right and what they can do themselves to minimise the risks posed.
A “high” risk includes things like identity theft, fraud, financial loss and damage to reputation. In other words, if there’s a risk of customer data falling into the wrong hands – or of sensitive information being made public, you need to inform them.
What happens if I don’t report personal data breaches or leaks?
If you have a notifiable breach and you fail to report it to the ICO, you could receive a hefty fine of up to £8.7 million or 2% of your global turnover. If you decide you don’t need to report the breach, you may be asked to justify this decision at a later date. Make sure you document it.
Protecting your organisation against data breaches
The ICO does not punish organisations simply for suffering a data breach. What happens next depends a lot on the type of “back story” you are able to provide; i.e. your ability to explain to the regulator what happened – along with evidence that you are not falling short when it comes to appropriate protective measures.
The ICO will be especially concerned with the following:
- Did you report the incident on time?
- Can you explain what happened, how it happened and what you did to fix it?
- Did you have an incident response plan in place (there is a template response plan in The Privacy Compliance Hub)?
- For the data processing operation in question – did you perform a privacy impact assessment (again, available in The Privacy Compliance Hub)?
- Do your data security measures – e.g. firewalls, penetration testing and authentication – measure up with the “state of the art”?
Covering all of this becomes so much easier with a single source for information, training, alerts and reporting procedures. This applies both to preventing security breaches in the first place – and for responding in the right way if and when an actual breach occurs.
Fortunately, that is just what we deliver in The Privacy Compliance Hub. To discover more about how our compliance tool can be implemented to protect your organisation and educate your employees with ease, check out our ‘How it works’ page or speak to us today – we’d love to hear from you!