Data breach reporting

Under the GDPR, new obligations have been imposed for all businesses to report certain types of personal data breaches to the ICO within 72 hours of the business becoming aware of the breach.

A personal data breach is a breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This means any personal data that is stored, processed or transmitted. It includes more than just losing personal data. Personal data breaches can include:

• access by an unauthorised third party
• deliberate or accidental action by a controller or processor
• sending personal data to an incorrect recipient (eg being sent to the wrong email address)
• devices being lost or stolen that contained personal data (eg laptops and mobile phones)
• alteration of personal data without permission

Only personal data breaches are considered data breaches for the GDPR. Therefore, the reporting obligations only apply to personal data. It also only applies to living people.

When considering whether a personal data breach has occurred, you should consider the following three factors:

• confidentiality
• integrity
• availability

Confidentiality

A confidentiality breach is where there is an unauthorised or accidental disclosure of, or access to personal data. It's not a security breach if, for example, you send information to an address you held for someone, but they then subsequently moved addresses.

Integrity

An integrity breach is where there is an unauthorised or accidental alteration of personal data. This can include hard copies being damaged by fire or flood.

Availability

An availability breach is where there is an accidental or unauthorised loss of access to, or destruction of, personal data. It won't be a data breach if, for example, personal data is not available due to planned IT maintenance.

When any security incident occurs, you should quickly establish whether a personal data breach has occurred and take steps to address it, including telling the ICO if required.

However not all three factors need to be present for it to be a data breach. Any one of these factors alone can be sufficient for a personal data breach. Each case will depend on its own facts.

The ICO needs to be notified when a data controller becomes aware of the breach and when they have a reasonable degree of certainty that data has been compromised. For example, where a customer contacts you about being sent data belonging to someone else. In this instance, the data controller becomes aware as soon as they have been notified. Another example can be where there is clear evidence that your IT systems have been compromised.

Although you don't need to be absolutely certain that data has been compromised, you must have a degree of certainty. This is decided on each specific set of circumstances.

Although a data breach may have occurred, not every personal data breach needs to be reported. When a personal data breach has occurred, you need to consider the combination of the severity and the likelihood of the potential negative consequences of the breach, including the resulting risk to people's rights and freedoms. Adverse effects and risks can include emotional and physical distress, financial loss, loss of reputation and other economic or social disadvantages to the individual.

If it's likely that there will be a risk then you must notify the ICO; if it's unlikely then you don’t have to report it. However, if you decide you don't need to report the breach, you need to be able to justify this decision, so you should document it.

The following factors can be taken into account when deciding whether to notify the ICO:

• severity
• type of breach (eg is the breach a disclosure or loss of data?)
• sensitivity of data (eg is the data related to medical information?)
• how easy is it to identify individuals from that data
• potential consequences
• any special characteristics of the individual (eg did the data that was compromised belong to a child or vulnerable individual?)

If a personal data breach needs to be reported to the ICO, you have 72 hours after becoming aware of it to do so. If you take longer than this, you must give justifiable reasons for doing so. The 72 hours include evenings, weekends and bank holidays.

When reporting a breach you must provide the following information:

• a description of the nature of the personal data including how many people it affected and the type of personal data records compromised
• the name and contact details of your data protection officer (DPO) (if you have one) or other contact point where more information can be obtained
• a description of the likely impact and consequences of the personal data breach
• a description of the measures taken or proposed to be taken to deal with the personal data breach

The GDPR recognises that it's not always feasible to investigate a breach fully within 72 hours to understand what has happened and what needs to be done to mitigate it. The GDPR allows you to report the breach in phases, as long as this is done without unreasonable delay.

The ICO has reporting forms that allow you to notify the ICO.

If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.

A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO. For example, sensitive medical data that has been lost or compromised will have a higher risk to the individual than a loss or compromise of an email address.

You will need to assess both the severity of the potential or actual impact on individuals as a result of a breach. In cases where the severity and impact of the breach are high, you will need to promptly notify the individuals affected.

One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.