Reporting a data breach under the new EU GDPRDecember 1, 2017
In response to the new General Data Protection Regulations (GDPR) that come into force on May 25, 2018, we have devoted a series of blogs to the topic to help clarify exactly what the new regulations will mean for UK businesses.
As you may know, the new EU GDPR has been designed to strengthen online privacy rights and will cover everything from data sharing to consent for data collection and will affect any business large or small that processes or controls the data of individuals.
In October we covered the very useful GDPR myth-busting advice published by the Information Commissioner’s Office (ICO) relating to fines and consent. This month we will look at data breach reporting.
Should all data breaches be reported to your customers and to ICO? If all details relating to a breach aren’t known immediately, will your company face significant fines?
Many organisations are still unclear about the consequences of a data breach under the new GDPR. We will summarise what the ICO has to say on the matter below and as always, urge our readers to take the time to read the ICO’s advice in full.
All personal data breaches must be reported to the ICO.
Under the new GDPR it will be mandatory to report a personal data breach if it’s likely to result in a risk to people’s rights and freedoms.
However, as Information Commissioner, Elizabeth Denham clarifies, if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report it.
Currently, the large part of data breach reporting is best practice but not compulsory. As such the new requirements will necessitate changes to the way organisations – including the ICO – manage personal data breaches.
What is key though, explains Denham, is that the threshold that decides whether a breach needs reporting relates to the risk the breach poses to the people involved.
“Pan-European guidelines will assist organisations in determining thresholds for reporting, but the best approach will be to start examining the types of incidents your organisation faces and develop a sense of what constitutes a serious incident in the context of your data and your own customers.”
Additionally, if a breach is likely to present a high risk to people’s rights and freedoms, an organization must make those individuals aware of the risk.
High-risk breaches may cause significant suffering to those people involved, such as discrimination, damage to reputation, financial loss, and other significant economic or social disadvantage, says Denham.
“If organisations aren’t sure about who is affected, the ICO will be able to advise and, in certain cases, order them to contact the people affected if the incident is judged to be high risk.”
All details of a personal data breach must be communicated as soon as it occurs.
The ICO makes clear that there is a requirement for organisations to report a personal data breach under the new GDPR, where it affects people’s rights and freedom. This must take place “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
As to the level of information, certain details will be required at the time of reporting an incident, however, the new regulations stipulate that where not all details are available, more can be provided later.
“The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident – but we will want to know the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem,” Denham adds.
Data breaches that are not reported in time will always result in a fine and the fines will be huge
As reported in our last blog GDPR is not about fines, it is about putting the consumer and citizen first and Elizabeth Denham is, again, quick to highlight this, “…fines under GDPR will be proportionate and not issued in the case of every infringement.”
It is true though that the ICO will have the power to issue fines where organisations fail to notify or fail to notify in time. But as Denham says, “Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR.”
Data breach reporting is all about punishing organisations.
Rather than punishment, what is actually at the forefront of regulators minds, says Denham, is to make organisations better equipped to deal with security vulnerabilities.
“We understand that there will be attempts to breach organisations’ systems, and that data breach reporting will not miraculously halt criminal activity. But the law will raise the level of security and privacy protections across the board.”
The ICO is currently working with other EU data protection authorities to produce guidance as to when an organisation should report a breach and the steps they must take to meet their new obligations.
Some examples and guidance can already be found on ICO’s breach notification overview but Denham urges organisations to start preparations now by establishing the roles, responsibilities, and processes for reporting. In turn, the ICO is adapting its own systems.
“Over the coming months we’ll be gearing up for the changes by introducing a new phone reporting service to enable businesses and organisations to report current personal data breaches and future breaches under the GDPR. It will sit alongside a web reporting form and provide organisations with a quicker and easier way of reporting to the ICO, enabling them to receive immediate advice,” says Denham.
You still have until 25 May 2018 to get GDPR ready, but we advise you not to delay. If you have any queries regarding the new regulations, speak to one of our expert lawyers today.