Having good security measures in place is great but you can never be 100% safe from a data breach. A data breach could lead to an investigation from the Data Protection Authority (DPA) , resulting in potential enforcement action against your organisation and reputation / brand damage. Being prepared with a solid breach plan is essential.
You need to know how to
- report and
- respond to a breach.
While it’s possible to do all of this in the event of one occurring, implementing the right actions when you consider the relatively short deadline to inform the Data Protection Authority (DPA) if you haven’t prepared your breach procedure in advance.
It is mandatory to report certain breaches to the regulator – Find your National Data Protection Authority online. – within 72 hours.
You also need to keep records of breaches and take action to reduce the risk of them happening again.
The GDPR also requires you to have appropriate security measures in place. Demonstrating that you’ve done this will not only help to avoid breaches, but will show that you’ve not been negligent in your approach.
Recognising a breach
The next vital aspect of this is detection. How do you detect a data breach? At the operational level, if your employees realise that they’ve exposed sensitive personal data through an error, that could be a breach detection. At the other end of the scale, security monitoring systems should highlight personal data breaches. That could also be classified as breach detection.
To do this successfully involves having the correct level of controls in place, an essential requirement of GDPR,. A nightmare scenario is when you fail to detect the breach due to a lack of controls but a third party does discover it and goes public with it. This could lead to a maximum fine of 2% of global annual turnover or €10 million, whichever is greater.
Protecting yourself from cyber incidents
The National Cyber Security Centre (NCSC) provides lots of useful and practical information on protection your organisation from cyber threats. Some useful resources include:
- Weekly Threat Reports
- Board Toolkit
- Information for small and medium sized organisations
- Small Charity Guide
- Cyber Essentials certification
Some of these incidents may happen through human error and honest mistakes. They could also occur through carelessness and a lack of procedure or guidance. It is therefore essential that your organisation has a suitable data protection policy in place, and that all of your staff, including any volunteers, have completed GDPR and data protection awareness training.
Even when a crime has been committed against you it is your responsibility to follow the necessary procedures, as the breach involves personal data under your control.
All staff must know how to recognise a breach and that they have a duty to make the organisation aware. Inform employees that they should report a suspected breach to an identified member of staff (possibly a Data Protection Officer) who handles the rest of the procedure.
When a breach occurs, the organisation should first establish:
- the facts of what happened
- what personal data was involved
- the number of people likely to be affected
- the likelihood and severity of impact on the people affected
Reporting a breach
After a breach has been escalated within your organisation, you must decide if you need to report it to the Information Commissioner’s Office. If you fail to notify a re portable breach it can result in a significant fine.
When should a breach be reported?
Not all breaches need to be reported to the ICO, but if the breach is likely to involve a ‘risk to people’s rights and freedoms’, it must be (Article 33).
Such a risk would be one where the people involved could suffer adverse effects as a result of the breach. This depends on what was in the data and how it might be used to damage them, as well as the scale of the breach. The inappropriate disclosure of sensitive or confidential information could be reportable if it would have a negative impact on someone’s sense of privacy. Identify theft, fraud, financial loss and damage to reputation are other risks to rights and freedoms that could result.
The context, scale and level of sensitivity are more important than the nature of the breach. The same type of breach could be reportable or not, depending on the likely effect on individuals.
For example, accidentally sending a bulk email to invite a small number of people to a community event using the ‘to’ and not the ‘bcc’ field is unlikely to be a reportable breach. But sending a similar email to a group of people who are receiving mental health counselling from you would be, as the context identified health information about those people.
If you are satisfied that there is no risk to anyone’s rights or freedoms, then the breach does not need reported. In coming to this conclusion, you should make clear the reasons for this decision.
How is a breach reported?
A breach must be reported to the ICO without undue delay and within 72 hours from when you became aware that a breach had occurred, where feasible.
This 3-day limit applies whether the incident happens over weekends or holidays. You need to report to the local DPA and give details of the incident. Even if you haven’t established all of the facts you should still report within 72 hours. Don’t delay, as you will have the opportunity to provide follow up information. The helpline staff can assist with what to do next, whether you need to inform the individuals, and how to take measures to prevent re occurrence.
As most DPA helplines are only available from 9:00 am to 4.30 pm Monday to Friday, you should report through their online facility if you need to do so at other times.
What happens next?
The Local DPA decides what happens next. Breaches are not routinely made public by the Local DPA. In some cases they will simply record the incident. In other cases they can investigate the circumstances that led to the breach. The outcome can range from no further action through to a monetary penalty in the rarer case of a serious breach involving negligent or deliberate action.
There is also a requirement in the GDPR to inform individuals affected as soon as possible (Article 34). This will allow them to take precautions and protect themselves against any negative effects, such as identify fraud.
The requirement to inform individuals is slightly higher than the need to report to the ICO. Compared to a “likely risk to individuals’ rights and freedoms”, you need to inform people if there is a “high risk”. This difference can be hard to judge. It’s best to take the view that if you need to report to the local DPA you probably need to also tell the individuals. The local DPO can tell you if you need to inform individuals, or require you to do so.
You need to clearly communicate to the people involved:
- what happened
- what personal information was involved
- what risks are likely or possible
- measures you’re taken or proposing to address the breach
- your contact details where they can get more information
Whether you need to report a breach to the ICO or not, you should keep a clear record of every breach incident.
The GDPR requires controllers to:
document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken
The GDPR also requires organisations to be accountable and transparent. Under the security of processing, controllers and processors must put in place appropriate measures “to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services” (Article 32).
Keeping a clear record of breaches will help you to meet accountability requirements and is an appropriate measure to ensure the security of processing.
These records also allow the Local DPA to verify that compliance with the reporting of relevant breaches is happening.
You will also need to act on any breach to reduce the risk of recurrence. Identifying patterns or gaps in your practice is important, and keeping records shows that you’re taking responsibility for what happened.
You can choose how you keep this record. It could be a long-form written document, or on a spreadsheet. It is advisable to record:
the date that the breach happened
when it was identified and by whom
if and when the Local DPA were notified (include a case number if given one)
- the nature and circumstances of the breach
- what types of personal information was involved
- how many people were affected
- likely effects of the breach, especially if there is evidence of effects
- if a breach was not reported to the ICO, the reasons for this decision
- remedial action taken to remedy the breach and prevent further occurrences
any other information you think relevant