This web site uses cookies. You are free to manage your cookie settings in your web browser at any time. For more about how we use cookies, please read our data privacy policy.

Dealing with suspected personal data breaches

GDPR handling personal data breaches procedures

Dealing with suspected personal data breaches

by Jim Ashton | Oct 3, 2017

Context

This blog entry deals with the General Data Protection Regulation (GDPR). The GDPR is enforced as of Friday the 25th of May, 2018. The Information Commissioner's Office (the UK's data supervisory authority aka ICO) and its sponsoring government ministry, the Department for Culture, Media & Sport, confirmed in February 2017 that the UK is adopting GDPR.

Purpose of this document

This document sets out to provide a practical and methodical approach to dealing with suspected personal data breaches.
Click here to download the infographic that goes with this article.

Terminology

  • ICO: Information Commissioner's Office, the UK's data protection regulatory body
  • DPO: Data Protection Officer, a named and accountable person in your organisation
  • Breach: an event that compromises the integrity of personal data e.g. loss or unauthorised access
  • Pseudonymisation: rendering personal data to a state where it can no longer be attributed to a specific individual without the use of additional information
  • Article: A section in the GDPR containing regulatory requirements
  • Recital : Additional descriptive text that accompanies an article

What the scaremongers say

The lCO has commented that there is a considerable amount of scaremongering about personal data breach notification going on, namely that:

  • All breaches must be reported to the ICO
  • All breaches must be reported to all individuals affected by the breach
  • All breach details must be known immediately
  • There are huge fines for failing to report a breach immediately
  • The ICO will use breach reporting problems as a way to punish organisations

Now let's read what the regulation says: Article 33.1

Article 33.1 "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay."

Fact versus fiction

Depending on the circumstances of a breach, it may or not be necessary to notify the ICO, it may or not be necessary to notify the affected individuals and if justified, more than 72 hours is allowed.

Approach your breach with a level-head

If you panic, you'll make mistakes and make things worse.

Here are some simple steps for you to follow to help you keep your cool when dealing with a data breach.


NOTE:The 72-hour clock does not start immediately.


A suspected breach is communicated

All suspected breaches should immediately be passed to the Data Protection Officer (or equivalent).

Employing automated monitoring measures and encouraging staff members to escalate human error breaches (e.g. emailing personal data to the wrong person) should help in dealing with breaches before they get out of control.

If a breach goes undetected by your internal channels and is exposed by a complaint lodged by an individual, the consequences may be serious.

Assessment

All suspected breaches should first be assessed to make sure that personal data has been compromised. The assessment should be performed by the Data Protection Officer (or equivalent) and involve any staff member that the Data Protection Officer (or equivalent) sees fit to question.

No breach

If a suspected breach turns out to be a false positive, breathe a sigh of relief and log the suspected breach as closed along with a description of action taken.

Breach confirmed

A breach has occurred. The first question to ask is:

"Is the personal data breach likely to result in a risk to the rights and freedoms of natural persons?" An illustration of these risks is shown in recital 85.

"physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned."

If the answer is no there is no risk, breathe a sigh of relief and log the suspected breach as closed along with a description of action taken.

If the answer is yes, there is a risk:

  1. The 72-hour count-down clock starts now.
  2. The ICO should be notified within 72 hours of this point.

If it is not feasible to notify within 72 hours, notification must still be made along with additional information stating the reasons for the delay.

TR implements personal data breach detection processes and a communication structure to enable GDPR compliance.

The 72-hour notification countdown tasks

  1. The DPO escalates the breach to the Board of Directors.
  2. The DPO and impacted business and support units work together to understand the extent and scale of the breach, and prepare the necessary content for the breach notification that must be sent to the ICO and (if the breach is very serious) create notifications to be sent to the affected individuals.
  3. The DPO works with public relations, legal and regulatory staff to determine if any legal action is necessary.
  4. Mandatory: The DPO finalises the notification for the ICO (see section Creating the notification for the ICO).
  5. Optional: The DPO finalises the notification for affected individuals (see section Creating the notification for individuals).
  6. Final review with key stakeholders to ask for a decision on the notification release.
  7. The notification is sent to the ICO.
  8. Optional: The notification is sent to individuals.
  9. 72-hour clock stops.
  10. Close the incident with a description of the investigation's outcome and all remedial work to be done.
  11. Optional: The DPO and public relations release relevant statements to the media.
  12. Optional: Legal action commences.
  13. Start remedial work.
  14. Await the ICO response.

The following is not recommended but it is allowed. You may take longer than 72 hours to send the notification as long as you send the reasons for the delay.

The response from the final point may be that the ICO may ask you to send a notification to individuals. If so, see the Creating the notification for individuals section.

Creating the notification for the ICO

The notification to the ICO should contain:

  1. A description of the nature of the personal data breach including (where possible):
    • the categories of data subjects concerned
    • the approximate number of data subjects concerned
    • the categories of personal data records concerned
    • the approximate number of personal data records concerned
  2. The name and contact details of the DPO (or equivalent)
  3. The likely consequences of the breach
  4. Measures, proposed or taken by the controller to address the breach, including, where appropriate, measures to mitigate possible adverse effects.

Once complete, the breach notification is sent to the ICO.

Creating the notification for individuals

If a breach is likely to result in a high risk to individual's personal data, the breach must be communicated to the affected individuals unless:

  1. The breached data was in an unreadable format.
  2. The breached data has been neutralised.
  3. Sending the notification to individuals requires disproportionate effort.

If point 3 is invoked, a public communication or something similar is issued to inform all affected individuals.

The notification to individuals should contain:

  1. A description, using clear and plain language, of the nature of the personal data breach including (where possible):
    • the categories of data subjects concerned
    • the approximate number of data subjects concerned
    • the categories of personal data records concerned
    • the approximate number of personal data records concerned
  2. The name and contact details of the DPO (or equivalent)
  3. The likely consequences of the breach
  4. Measures, proposed or taken by the controller to address the breach, including, where appropriate, measures to mitigate possible adverse effects.

Once complete, the breach notification is sent.

Additional material


 Share article

More articles: GDPR and personal data in the USA, Privacy Shield or Model Contract? | GDPR controller to processor contract considerations | Dealing with suspected personal data breaches under the GDPR | GDPR employee monitoring | Are you respecting your employees rights to privacy? | GDPR Human Resource consideration case study covering consent and rights | GDPR scaremongering | a few GDPR myths exposed | GDPR, what is personal data for European organisations? | Information security certifications and the GDPR | Am I OK with an ISO 27000? | How to set up a representative for the GDPR in the EU | When should you appoint a Data Protection Officer?