Data breaches. Even the phrase itself sends chills down the spines of CISOs and CPOs. Protecting your organisation against such a threat is a key obligation of the upcoming EU General Data Protection Regulation. That responsibility is defined under the so called "security principle" wherein all appropriate safeguards have to be taken to ensure effective information security via best practice standards such as ISO 27001/2 and NIST security controls.
However, putting all of that to the side, what most organisations need to understand right away is what their legal obligations are AFTER a data breach has occurred (after all, they are increasing in frequency at a seemingly exponential rate).
So, let's get down to brass tacks; what is a personal data breach exactly?
Article 4(12) of the GDPR provides the definition of ‘personal data breach’ as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.
Articles 33 and 34 impose requirements on data controllers to notify personal data breaches to their data protection authority (in the UK's case this would be the Information Commissioner's Office) and, in certain circumstances, to communicate with the people impacted by the breach.
(A data controller is the person/company who - either alone or jointly or in common with other persons - determines the purposes for which and the manner in which any personal data is processed.)
Now that may seem simple enough, but hold your horses; there's more:
- Data controllers are obliged to report breaches to the relevant supervisory authority without undue delay; where feasible, not later than 72 hours after they first become aware;
- If not made within 72 hours, a justification for the delay must be provided;
- It is not necessary to notify the DPA where the breach is “unlikely to result in a risk for the rights and freedoms” of data subjects;
- If applicable, a breached data Processor (a person/organisation which has been told by a controller to process data) has to notify their data controller without undue delay after becoming aware of the personal data breach.
If a data controller is not aware of a breach, then the notification requirement cannot be triggered. This literal interpretation can cause a bizarre outcome, in the sense that some data controllers might sneakily conclude that, in order to avoid breach disclosure, they should avoid putting in place measures to detect breaches in the first place.
That kind of thinking would be very silly. In a purely operational sense, breach detection measures are necessary in all organisations. In a legal sense, it is an implicit, basic requirement of the GDPR security principle in Article 5(1)(f)—and the breach disclosure rule itself—that data controllers HAVE to put in place breach detection measures. A failure to put such measures in place would constitute a breach of the security principle, exposing the controller to lots of lovely legal risk.
Once a suspected breach is detected, the data controller needs to determine whether it meets the definition of personal data breach and, if so, whether it is of a type that is likely to cause a risk to the rights and freedoms of individuals. This has to be done very quickly, because the controller has to notify without undue delay, which is subject to a 72-hour limit. This obviously implies a comprehensive incident response plan is vital or you're just going to be wandering around in the dark, figuratively speaking.
But that's not all. Even with all that sorted, you have to then decide whether you report the data breach to the data subjects affected by it. How is that decided then?
Simple. Article 34 requires data controllers to inform data subjects of personal data breaches if those breaches are likely to present high risks to the rights and freedoms of individuals. Therefore, there's a severity threshold here. For example, a breach of names and personal business email addresses to a third party might present a risk and trigger notification to the ICO, but not a high risk, as many people openly share their business email account. “High risk” can be determined in two different contexts: either through impact to a large number of data subjects or via a particularly large amount of damage to certain individuals.
But even then, the GDPR gives you three lovely exceptions to having to disclose the breach to data subjects:
- The first exception is where measures have been taken to render personal data unintelligible, for instance, by use of encryption.
- The second exception operates where the data controller has taken steps to prevent the high risks from materialising, which is another justification for good-quality incident response strategies.
- The third exception is where breach disclosure would involve disproportionate effort - which is most likely to arise where the controller is unable to identify all the individuals impacted by the breach. In such a case, there still has to be some form of broad public announcement, through a press release or a statement on a website.
We're almost there! Now onto the data breach notification itself. The notification to the DPA and/or data subjects has to contain the following:
1) A description of the nature of the personal data breach including, where possible:
- the categories and approximate number of data subjects concerned;
- the categories and approximate number of personal data records concerned;
2) The name and contact details of the data protection officer or other contact point where more information can be obtained.
3) A description of the likely consequences of the personal data breach, emphasising the impact on the data subject/s and if applicable, what measures they themselves will need to take to ensure adequate protection.
4) A description of the mitigating measures taken or proposed to be taken by the data controller to address the personal data breach.
And last but certainly not least, you MUST keep a record of ALL the personal data breach notifications you have sent in case the DPA wants to take a look at them. These records are not subject to any stop date, so, in theory, they should be held in perpetuity.
Hope that was a useful read. It needs to be known like the back of your hand.