In the run up to the GDPR deadline there was plenty of talk about fines. However, not much was really shared about what a data breach actually is, when you should report it, to whom and how. Now that the GDPR is in full effect, it’s vital that businesses are aware of what personal data breaches are and have made preparations to handle to these.
What’s a personal data breach?
Breaches are covered in Article 33 and 34 of the legislation, but the addition of Recital 85 is an easier way to see what a personal data breach means:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
If you, your team or organisation accidentally or unlawfully loses, alters or destroys personal data, it's a breach. Further, if a third party receives access to personal data in an unauthorised manner it’s a breach. It doesn’t matter if breaches are an accident or deliberate.
A deliberate breach? Here’s an example: You are organising an event with a partner and share your list of people to invite with the partner (name, email address, etc). However, you did not obtain permission from those people to share their details. Here, you shared the data deliberately in an unauthorised manner.
Other examples of breaches: hacked systems, sending personal data to incorrect recipients, altering personal data without permission, devices like laptops, phone, tablets, desktops being stolen or lost, issues with data processors that you as the controller chose to work with, etc.
Who do I need to report it to?
Your Data Protection Authority (DPA) is your port of call. They are often also called Supervisory Authorities (SA). Your business should understand now which DPA to work with. Here a few tips on how to make that call:
If you are based in only one EU country, it makes the most sense to choose the local DPA.
If you are based in multiple EU countries, it probably makes the most sense to work with the DPA in your head office location, unless decisions about how personal data is handled are made elsewhere. If that’s the case, go with that location. BusinessBrew is based in Ireland and Copenhagen. As Ireland is where all things legal are handled, we work with the DPA here. However, this is not mandatory and if it works better for you to choose a different location you may do so (for example your HQ is in Portugal but the team who is in charge of this specific data process sits in Italy, you may choose the Italian DPA). For this particular reason it’s important to track which entity or location is in charge of the decisions for each data process when you create your Article 30 processing records (Data Processing Inventory).
If you are based outside of the EU and are trading with EU citizens you should appoint a representative in the EU. NOTE: a representative is not the same as a Data Protection Officer (DPO). Your representative is your liaison with the DPA and can also be a port of call for data subjects. The natural selection of DPA is then in the country where your representative resides. If this sounds like your business, then BusinessBrew can help as a representative for you. Get in touch to discuss this more.
When do I need to report it to the DPA?
Most things in the GDPR allow for a bit of a grey zone. This does not. You have 72 hours.
Here’s what Article 33 says: “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority [...]”
You might not have all the details of the breach yet and you may share those later but still with undue delay. Still the actual breach has to be reported within 72 hours.
If you’re not the controller of the data but the processor, it will be your responsibility to report the breach to the controller in question, without delay. Of course, if you are a processor to a large number of controllers because you provide a software solution for example, this can have a huge impact on your business.
Do I need to report all personal data breaches?
We find ourselves back in a grey zone once again when it comes to whether all personal data breaches need to be reported.
The GDPR states that you need to establish how likely it is that the breach will result in a risk to people’s rights and freedoms as well as the severity of the breach on those rights and freedoms. If this is unlikely, you don’t have to report it. You will still need to document the breach and the justification behind not reporting it.
This is an area that I personally feel will develop and colour will be added as breaches start to occur. A good reminder, the DPA isn’t just there to penalise you. They are there to help. So you can contact the DPA with questions and even run potentially risky personal data processes by them before you implement them to get their opinion.
How should I report a personal data breach?
As a minimum in your report to the DPA:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
(see Article 33 of the GDPR)
The Irish DPA has brought out a document to complete breaches. It’s a useful guide and you can view it here.
We talk a lot about documenting your personal data processes in an inventory. If you are doing this and include the level of risk, the category of data, who is affected with this processes, the lawful basis for processing, how the processes is secured etc. you are already answering a large part of the breach report. In addition you demonstrate your awareness of processes and your work towards managing these in a safe way.
Do I need to inform the individuals affected?
It depends. Article 34 covers this and the first paragraph states: “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” Similar to all privacy communication, this information needs to be provided in clear, transparent language.
The exceptions are also listed and I’d encourage you to read up on them.
The ICO in the UK has provided a great example on high vs low risk:
High Risk: A hospital suffers a breach that results in an accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to their rights and freedoms, so they would need to be informed about the breach.
Low Risk: A university experiences a breach when a member of staff accidentally deletes a record of alumni contact details. The details are later re-created from a backup. This is unlikely to result in a high risk to the rights and freedoms of those individuals. They don’t need to be informed about the breach.
Preparation is everything
Privacy starts with PR. So does preparation. A personal data breach regardless how large (we are looking at you, Facebook) or small, can have a severe impact on your business and your hard-earned relationships. No business wants to commit a breach but you can’t fully protect yourself against them, so it’s important to be prepared when it does happen. Here’s what we recommend:
- Train your team on the GDPR and what a personal data breach is
- Create a safe environment for reporting breaches
- Document all your personal data processes in a Data Processing Inventory
- Determine the risk associated with each personal data process
- Appoint a team member (or team) responsible for handling breaches (this should be your DPO if you have one) and ensure there is a backup in case of holiday / illness etc.
- Create a guideline to determine the level of risk to the rights and freedoms of your data subjects affected by the breach to help you decide whether or not you need to report to the DPA and / or the individual affected
- Establish the format for documenting breaches whether or not they are reported to the DPA and / or individuals
- Decide on your DPA and know how to contact them
- Have a process in place for reporting breaches within the deadline and in the correct format to the DPA
- Have a process in place for communicating the breach to individuals if necessary
Being prepared for breaches means you are more aware of risk and more likely to avoid risky situations in the first place.