Data breaches can have a detrimental impact on your organisation. From financial loss, to fines, to a decline in customer trust, the impact of data breaches can be massive. That is why it is essential to implement cybersecurity good practices and procedures to prevent security incidents. Despite this, you may still suffer a data breach which you may have to notify to your respective data protection authority (DPA) or communicate to the affected individuals.
What is a “personal data breach”
A personal data breach means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.
Organisations should be aware that a personal data breach can cover a lot more than just ‘losing’ personal data. It includes incidents affecting the confidentiality, integrity or availability of personal data. Importantly, personal data breaches include security incidents that are the result of both accidents (such as sending an email to the wrong recipient, losing a USB key containing customer data, or accidentally deleting medical data for which no backup is available), as well as deliberate acts (such as phishing attacks to gain access to customer data).
In other words, this includes situations such as where someone accesses personal data or passes it on without proper authorisation, or where personal data is rendered unavailable through encryption by ransomware, or accidental loss or destruction. Whilst all personal data breaches are security incidents, not all security incidents are necessarily personal data breaches (since there may not be any personal data involved in a given security incident).
Obligations for data controllers
If your SME acts as a data controller, there are three primary principles regarding data breaches
- documentation of any personal data breaches
- notification of any personal data breach to the relevant data protection authority (DPA) within 72 hours, unless it is unlikely to result in a risk to individuals; and
- communication of that breach to the individuals without undue delay, where the breach is likely to result in a high risk to individuals.
It is of utmost importance that data controllers understand and comply with these obligations, and implement in advance the appropriate procedures that will allow them to objectively determine in due time whether any of the notifications mentioned above are required.
In any event, for all breaches – even those that are not notified to a DPA, on the basis that they have been assessed as being unlikely to result in a risk – the data controller must record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response, as required by Art. 33(5) GDPR.
What to do and how to take action?
Data Breach Notification to the relevant DPA
According to Art. 33.1 GDPR, all data breaches should be notified to the relevant DPA, except for those unlikely to present any risk to individuals. To facilitate this notification, DPAs have implemented procedures or online forms that will guide you step by step to ensure you provide all the required information.
If the breach takes place in the context of cross-border processing and notification is required, the data controller, if established in the EEA, will need to notify the lead DPA. Thus, when drafting their breach response plan, a data controller should already make an assessment as to which DPA is the lead DPA they will need to notify. If the data controller has any doubt as to the identity of the lead DPA then they should, at a minimum, notify the local DPA where the breach has taken place.
Where notification is required, this must be done as soon as possible and within 72 hours after having been made aware of the breach. In case this is not possible, a justification for the delay will be required. An organisation should be regarded as having become ‘aware’ when there is a reasonable degree of certainty that a security incident has occurred and compromised personal data.
In order to be able to demonstrate to the relevant DPA when and how they became aware of a personal data breach, it is recommended that all organisations, as part of their internal procedures on personal data breaches, have a system in place for recording how and when they become aware of personal data breaches and how they assessed the potential risk posed by the breach.
Where it is not possible to provide all of the relevant information to the DPA within the 72-hour period, the notification should be made in several steps. The initial notification should be lodged and further information may be provided in phases.
Similarly, per Art. 33(2) GDPR, if your SME is a data processor, processing personal data on behalf of another organisation, you must notify the data controller of any personal data breach without undue delay. This is of key importance in enabling the data controller to comply with their notification obligations in due time. The requirements on breach reporting should also be detailed in the contract between the data controller and processor, as required under Art. 28 GDPR.
A notification of a personal data breach to the relevant DPA must at least:
- describe the nature of the personal data breach, including, where possible, the categories and approximate number of individuals concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer (DPO) or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach; and
- describe the measures taken or proposed to be taken by the SME to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Communication of that breach to affected individuals
In addition, some data breaches must be notified without undue delay to the individuals affected. This is the case when the personal data breach is likely to result in a high risk to the rights and freedoms of the natural person.
The intention behind this requirement is to ensure that affected individuals can take the necessary precautions where incidents have occurred which are likely to result in a high risk to them.
Such communications to individuals must be made without delay, and where appropriate in close cooperation with the relevant DPA. In cases where there is a need to mitigate an immediate risk to individuals, prompt communication will be necessary.
There are circumstances where data controllers will not be required to notify individuals, such as:
- the data controller had encrypted the data and the encryption keys were not compromised;
- the data controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of individuals is no longer likely to materialise;
or
- it would involve disproportionate effort. In such a case, however, the data controller must still ensure, by way of a public communication or similar measure that individuals are informed in an equally effective manner.
This communication to the individual should describe in clear and plain language the nature of the personal data breach and should include at least the following information:
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken or proposed to be taken by the organisation to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- The communication should also describe recommendations for the individuals concerned to mitigate potential adverse effects of the breach.
Data controllers and processors are encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent DPA, and to communicate the breach to the individuals concerned when necessary.
When do you need to notify a data breach?