What is a personal data breach?
Under Art.4 of the General Data Protection Regulation (GDPR) a personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
One of the material changes likely to have a significant impact on the role of controllers under the GDPR, relates to the mandatory notification of personal data breaches to the relevant supervisory authority. Notification to affected individuals will also be further required, where the breach is likely to result in a high risk to the rights and freedoms of the individual. These new obligations are key to the principles of accountability and transparency that underpin the GDPR.
Ideally as the old saying goes prevention is far better than a cure!
Recital 78. of the GDPR relates to appropriate technical and organisational measures that organisations are obligated to take to ensure, that the requirements of the regulation are met. To demonstrate compliance with the GDPR, the controller should ideally adopt internal policies and implement measures which meet more specifically, the principles of data protection by design and data protection by default.
You may wish to consider improving security features throughout your organisation and thoroughly documenting your processing activities to ensure best practice and IT governance. Possible areas to focus on could be the likes of system access control, system authentication, your company website, data back-up procedures in conjunction with business continuity measures, your IT system capabilities and encryption to name but a few!
In the event, that you do incur a data breach there are 5 key steps that you will need to take:
1. Breach Detection
Following the detection and confirmation of a data breach the clock starts now! Under the General Data Protection Regulation (GDPR) you are now obliged to inform the supervisory authority without undue delay and where feasible not later than 72 hours after first becoming aware of it, unless of course you are able to demonstrate, that the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. i.e. your employees and/or client base.
2. Risk Assessment
Your company should ideally have a high-quality risk management process and robust breach detection process together with comprehensive investigative and reporting processes.
Here you need to question, whether the data breach is likely to result in any risk to the rights and freedoms of natural persons? Should a risk be identified, the requirement to notify the supervisory authority is therefore essential. At this stage, it is also important to establish whether the data breach affects individuals in more than one European member state? Should this scenario arise, notification to the lead supervisory authority is required. Following a high-quality risk assessment, where the breach is deemed not to pose any risk, then, there is no requirement to notify either the supervisory authority or the individuals concerned.
3. High or Severe-Risk Assessment Result
An Assessment leading to a high or severe result is likely to have a considerable or critical impact on the individuals concerned and you are obligated to notify those concerned without undue delay. It is vital that the breach of this nature is handled sensitively and by nominated members of your workforce in accordance with your internal breach handling policies and procedures.
4. Notification and Provision of Information
Following a thorough assessment and evaluation of the data breach, it is now time to inform the individuals of the data breach and perhaps provide steps, they may wish to take to protect themselves from the consequences of the breach. You may wish to do so by means of a formal letter either sent directly by post mail or by email.
Suggested areas to address within your notification to the individual may include:
- First and foremost an Apology!
- What Happened?
- What information is concerned/involved?
- What you as a Company are doing to mitigate current and future risk?
- What they (the individual) can do to protect themselves and/or the data in question? For example, if the data was of a financial nature, the account holder may need/wish to monitor their financial accounts more carefully or be registered with the financial provider to receive fraud alerts, should any fraudulent activity emerge because of the breach.
- Finally, you may wish to provide the individual with a contact number for the dedicated team currently handling the breach so that they can discuss and further address any concerns they may have.
5. Document and Record
From the moment of suspected detection, to investigation, confirmation of data breach and indeed notification, where required, you have just 72 hours to achieve this following the discovery. If notification to the supervisory authority is delayed, it must be supported by an explanation. It is important to remember that failure to notify the office of the data protection commissioner or the relevant supervisory authority in a timely and appropriate manner, may result in possible material and non-material damages.
Next Steps in handling data breaches under the GDPR:
Now is the time to start looking at the types of incidents that your business could face and to develop an understanding of what could be considered as a serious incident in the context of your data, your customers and your employees. You should also ensure you have the roles, responsibilities and processes in place for recording and reporting breaches. For example, a Breach Register. Having a breach register will provide clarification and verification of your obligation to notify the Supervisory Authority.
Ultimately, when it comes to the protection of personal data throughout your organisation, your end goal should be compliance and in doing so, adhering to best practice when it comes to securing the personal data of both your employees and client base.