The European Data Protection Board has opened a public consultation in relation to one of its guidelines on personal data breach notification under the GDPR. Although the UK has left the EU, the ICO has confirmed that these guidelines continue to be relevant to the UK data protection regime.
The above guideline is quite specific, relating to breach notification across member states, however, it presents a good opportunity for us to remind organisations of breach obligations more generally.
Reporting timeline and fines
Organisations must report personal data breaches to the ICO without undue delay, and where feasible within 72 hours of becoming aware of the breach. In some cases, organisations must also inform the individuals whose personal data is affected.
Failing to notify the ICO of all notifiable breaches can result in a fine of up to £8.7 million or 2 per cent of an organisation’s global turnover. The ICO’s other corrective powers can also be combined with the fine.
Notification to the ICO
Notification to the ICO must be made where a personal data breach is likely to result in a risk to individuals’ rights and freedoms. To assess whether this is the case, organisations should consider the specific circumstances of the breach and its potential impact. If an organisation decides against reporting the breach, it should document this and retain any relevant information it used to arrive at its decision that there is no risk to individuals’ rights and freedoms.
Information to include in a breach notification to the ICO:
- the details of the personal data breach, such as the type of personal data involved as well as the number of individuals affected;
- a description of the likely consequences of the personal data breach;
- a description of actions that are (or will be) taken to deal with the personal data breach, or to mitigate its negative effects;
- the date and time the breach was detected;
- the date and time the breach actually occurred (or an estimate); and
- the data protection officer’s name and contact details, or some other point of contact where more information can be obtained;
Because information must be provided without undue delay, it is an option for organisations to notify the ICO in stages if they do not have all of the details.
Notification to individuals
Individuals must be notified of a breach where it is likely to result in a high risk to their rights and freedoms. This threshold is higher than reporting to the ICO, and so where individuals must be notified, the ICO will always have to be notified too. As with reporting to the ICO, individuals must be notified without undue delay.
Information to include in a breach notification to individuals:
- the likely consequences of the personal data breach;
- a description of the measures taken, or proposed to be taken, to deal with the breach including actions taken to mitigate its effects; and
- the data protection officer’s name and contact details, or some other point of contact where more information can be obtained.
If there are any steps which the individuals can themselves take to mitigate the impact of the breach, organisations should also communicate this to them. This may include, for example, changing passwords.
In a major cyber incident, the ICO recommends considering whether this should be reported to the National Cyber Security Centre (NCSC). The NCSC responds to cyber security incidents to reduce the harm they cause to organisations. Showing that the help of the NCSC has been sought may be an important feature of breach handling. However, it is not an alternative to reporting the breach to the ICO; the ICO must be notified without undue delay.
Organisations may also wish to report the incident to Action Fraud (or Police Scotland, if the organisation is located in Scotland), if the incident could have a high risk of individuals being affected by fraud.
Unsure of whether a breach is notifiable?
Not every breach has to be reported to the ICO. The ICO has a self-assessment tool on its website to assist organisations in determining whether a breach poses a risk to people’s rights and freedoms and should therefore be reported. The self-assessment takes five minutes to complete.
If you need any advice on breaches of personal data, please do not hesitate to contact a member of our data protection team who will be happy to assist.