The ICO recently revealed that almost a third of the 500 reports of data breaches it receives each week are considered to be unnecessary or fail to meet the threshold of a GDPR personal data breach.
With so much confusion surrounding what types of incident need to be reported, when they need to be reported and even the reporting process itself, our latest blog seeks to clarify these and other frequent misconceptions.
What constitutes a personal data breach?
According to the Information Commissioners Office (ICO), many organisations misunderstand the types of compromises that need to be officially reported under the General Data Protection Regulation (GDPR). ‘Over-reporting’ by businesses is therefore common, and often driven by a desire to be transparent, in order to avoid the risk of possible sanctions.
According to the General Data Protection Regulation, a personal data breach is ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (Article 4, definition 12).
Data breaches can vary in their severity and as such not all personal breaches that fall within the above definition need to be reported. The crucial part, defining whether action needs to be taken or not, is whether a breach is likely to ‘result in a risk to the rights and freedoms of natural persons’ (Article 33). But what does this actually mean in practice?
The key to understanding the breach reporting threshold can actually be found in GDPR Recital 85, which says:
‘A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.’
To help decide whether to report breaches, it’s advisable to assess each one on a case-by-case basis. Whereas some personal data breaches may not only inconvenience those that need the data to perform their job, others stand to affect large numbers of individuals and result in emotional, physical and material damage.
At this point, it’s also worth noting that, should your organisation suffer a breach and decide that it does not meet the criteria needed to report it, you are still expected to formally document the justification for this decision should it be challenged in the future.
Example GDPR personal data breaches that need to be reported to ICO and any affected individuals
• A hacker breaching a business’ cardholder data environment to steal financial details of customers
• A system error resulting in customers being able to view the account details of other customers
• A member of staff copying customer data onto a USB stick and disclosing the data to a third party
• A disgruntled employee leaking the payroll data of hundreds of company employees
• The disclosure of confidential patient health records to an authorised third-party company
Example GDPR personal data breaches that are unlikely to need reporting to ICO
• A fire that causes paper records to be lost, if the only copy of the data is held on paper
• The loss or inappropriate alteration of a staff telephone list
• An accidentally erased hard drive that contains the only copy of individuals’ data
Example GDPR personal data breaches that need to be reported to ICO but not to affected individuals
• A hacker accesses customers’ personal data but the data has been encrypted
• A laptop containing personal data is left on a train but the laptop’s hard drive is encrypted
How soon should personal data breaches be reported?
According to the ICO, many organisations are also unsure about their responsibilities around breach reporting. The GDPR states that organisations must have suitable controls in place to detect personal breaches as well as report them to a relevant authority within 72 hours (Article 33). One mistake many businesses make however is to believe that the mandatory reporting period is 72 ‘working’ hours. In reality however, this is actually 72 hours from the ‘point of discovery’.
Where the impact of a breach represents a ‘high risk’ to the rights and freedoms of individuals, those individuals must also be promptly notified. The GDPR states that this should be ‘without undue delay’, to allow individuals to take suitable precautions.
In the scenario that it is impossible to notify individuals directly, such as where data has been lost, or communication involves a ‘disproportionate effort’, then organisations must release a public communication, such as a press announcement.
What breach information needs to be reported?
A failure to fully provide the information requested by ICO is also a common failing of organisations reporting breaches, suggesting many are ill prepared or do not have the sufficient expertise and/or technical capabilities to provide many of the details sought.
Before reporting a breach, even by telephone, it’s worth reading ICO’s personal data breach reporting form which details the information sought. This includes:
• The type, nature and cause of the breach
• When the breach happened and was discovered
• Categories of personal data included in the breach
• Number of records/ subjects concerned
• Impact and consequences of the breaches
• Estimated breach recovery time
• Plans on how to tackle its effects
While it might not be possible to provide all of the requested information within 72 hours, ICO expects organisations to demonstrate that they are prioritising breach investigation and working hard to supply critical details to an agreed timeframe.
What are the consequences of failing to report a personal data breach?
Under the GDPR, organisations cannot afford to brush breaches under the carpet. A failure to notify the ICO of a personal data breach could result in a receipt of a fine up to €10 million euros or 2 per cent of global turnover.
This fine can be combined with the ICO’s other corrective powers under Article 58, leading to a maximum penalty of €20m or 4 per cent of global turnover (whichever is greater).
As a leading provider of managed cyber security services, Redscan has extensive experience helping organisations to comply with the GDPR, Data Protection Act 2018 and other regulatory requirements. Our team of specialists help organisations to assess data security risks, identify and address exposures and swiftly detect and respond to threats.
ThreatDetect™, our award-winning Managed Detection and Response service, combines red and blue team security professionals, cutting-edge technology and the latest global intelligence to hunt for threats, monitor networks and endpoints 24/7 and provide integrated incident response.
By proactively identifying breaches, ThreatDetect helps organisations to significantly reduce their meantime time to detect (MTTD) and meantime to respond (MTTD), protect vital data and assets and support stakeholder and compliance reporting.
Disclaimer: This article is provided for informational purposes only. Redscan always recommends organisations seek the advice of a qualified legal professional to assist compliance.