I remember from my German studies that linguistically there is a difference between “when,” as a possibility (use if!) and “when,” as an inevitability. I think, in the case of personal data breaches, that it is definitely a case of “when” and not “if.”
The reason for this is clichéd. We are human and we make mistakes, and most businesses, made up of mere humans, are processing personal data a lot of the time and at some point one of those mistakes will relate to personal data. It can be as trivial as leaving a print-out of interview candidates’ names and contact details in the bathroom or it could be as drastic as making an error configuring a firewall which enables a sustained, malicious attack by an organised criminal gang to steal financial information of your customers.
The first thing to do is be honest about what has happened. All personal data breaches need to be recorded in an internal register of breaches regardless of the triviality or severity of the breach. The controller of the register should be known to all staff. For those businesses that have appointed a data protection officer (DPO), he / she will manage the register. For those businesses that do not have a DPO, a suitably trained officer is appropriate.
The appointed person should gather the facts. Of particular importance are:
- How many data subjects are affected? (It may just be one.)
- What categories of personal data have been breached?
- What are the risks to the rights and freedoms of the data subjects of the breach?
- What were the circumstances of the breach?
- How did we become aware of the breach?
- Is this is a criminal matter?
- What steps have been taken to mitigate or resolve the breach?
- Are there further steps that should be taken?
- Have the data subjects been informed, either by us or a third party?
The appointed person needs to assess whether the breach needs to be notified to the regulator. In the UK, this is the Information Commissioner’s Office (ICO). Not all breaches need to be notified to the ICO. Only those breaches that represent a risk to the rights and freedoms of the data subjects need to be notified. The EU guidance notes that “this risk exists when the breach may lead to physical, material or non-material damage for the individuals whose data have been breached.”
Consideration of both the likelihood of risk and the severity of the risk should be made. If, for example, the encrypted data of thousands of people has been compromised but could not be read without an encryption key that has not been compromised, this will be lower risk than publication of the full financial history of one person.
If a report needs to be made to the ICO, there is a deadline of 72 hours from becoming aware of the breach to make the report. There is a standard form on the ICO’s website and also a self-assessment tool on whether to report at all https://ico.org.uk/for-organisations/report-a-breach/. If the report is late, the reason for this will need to be included in the report.
No report needed. What next?
This is not the end of the matter. The GDPR requires businesses to learn from their mistakes and to review what changes to processes and procedures should be made to stop such mistakes from happening again. This review should be documented in the internal register of breaches and... the actions arising, be implemented! Your DPO will not want to explain to the ICO, two breaches with similar circumstances, appearing on the breaches register.
I’ve reported. What else should I do?
When a breach has occurred where there is a risk to the data subjects, you should contact your insurance company to establish whether you are covered for both the damage to your business and any damage caused to the data subjects. You should also consider whether a notification needs to be made to a professional body or trade association. Some businesses have specific obligations to notify of cyber-attacks.
For those breaches where there is a high risk to the data subjects, you should promptly notify those individuals without undue delay. This is to allow the individuals a chance to protect themselves, by perhaps changing passwords or being alert to suspicious transactions.
And again, there should be a complete review of the circumstances that allowed the breach to occur and implementation of remedial steps to prevent a reoccurrence of the breach. Businesses do not have to do everything in their power to stop breaches, but the steps taken to secure personal data must be appropriate in the circumstances and this may involve investing in better security.
What happens to the report?
The ICO will consider the report you have made. They may seek clarification and/or further information. They will certainly want to see evidence that you have reviewed the incident and are taking steps to mitigate the risk of a further occurrence.
Following their considerations, the ICO may also take enforcement action, if they consider the circumstances of the breach warrant it. The ICO’s powers are wide and the potential fines available for data protection breaches are large. Legal advice may be needed in order to respond to any enforcement action.
The data subjects may also seek compensation for the damage they have suffered. The damage does not necessarily need to be financial and may simply be a claim for inconvenience.
Conclusion - Data Protection by design
The ICO are keen to promote “data protection by design” as a way for businesses to approach data protection. This phrase is not as opaque as it might seem – it is perfectly analogous with the regime around workplace health and safety. The essence of both regimes is an underlying recognition that accidents or breaches will happen and to build business processes that foresee the risks and take steps to mitigate them, in advance. In this way, businesses can minimise the injury to individuals. And when a breach does eventually happen, to learn from the error in order to avoid it happening again.
Michelle Rule works in our Corporate and Commercial department but we thought that her article on data protection breaches was so relevant and useful to our HR contacts that we wanted to share the information with you.