According to the UK GDPR article 33, in the event of an actual or suspected personal data breach, a report should be made to the supervisory authority which in the UK is the Information Commissioner’s Office (ICO). The definition of a security breach can be found in article 4(12), ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.’
So, for example, sending personal data by email to the wrong recipient would be unauthorized access. However, the UK GDPR goes on to say [a report is necessary] in the event that the breach causes a risk to the fundamental rights and freedoms of the individuals concerned.
Every incident is different
Back in 2018 when this became a GDPR obligation the ICO did publish advice stating that not all breaches meet the threshold for reporting. But this didn’t really help because they didn’t clearly state where that threshold was. I believe one criteria for a report is where special categories of data are concerned. Categories such as health, religious belief and ethnicity could easily be a risk to someone’s freedoms or rights in the wrong hands. We work on that basis and always report such incidents. On the other hand, if you were processing simply regular categories of data such as names and addresses and a similar circumstance arose, you might decide that there is limited risk to individuals’ rights and not report it, but instead update procedures where necessary, deliver training to those involved and move on. Every incident therefore needs to be assessed on its own merit, every incident is different, and everyone might have a different interpretation of this obligation. Hope and May have developed an incident severity index to identify that threshold in a more accountable way.
Below are some additional pointers on what to do if you have a data breach.
When should we contact the ICO?
You must notify the ICO within 24 hours of becoming aware of the essential facts of the breach.
Your notification to the ICO must include (as a minimum):
- your name and contact details
- the date and time of the breach (if known)
- the date and time you were made aware of the breach
- information about the type of breach
- information about the personal data concerned
Where possible, you should include additional information such as the number of individuals affected, how they will be impacted, and any steps you have taken to mitigate the risks to these individuals. If you cannot provide this information immediately, you must provide them as soon as possible.
Failure to submit breach notifications can incur a £1,000 fine.
When should we contact the individuals/customers involved?
If the breach is likely to negatively affect the personal data or privacy of the individuals/customers, you need to notify them immediately. You notification to the individuals concerned should include:
- your name and contact details
- the estimated date of the breach
- a summary of the incident
- the nature and content of the personal data
- the likely effect on them
- any measures taken to address the breach
- how they can mitigate any possible negative impact
NOTE: You do not need to tell your customers about a breach if you can demonstrate that the data was encrypted (or made unintelligible by a similar security measure).
If you do not tell your customers, the ICO can require you to do so if they consider the breach is likely to negatively affect them.
What should we record in our breach log?
You must keep a record of all personal data breaches in a log. It must contain:
- the facts surrounding the breach
- the effects of the breach
- corrective action taken
There is also a further step by step guide on the ICO site HERE.
Support with a data breach
If you are dealing with a breach, have concerns how to deal with a potential breach, or wish to create a breach management policy please get in touch at email@example.com.