Breach and tell? What to do when you discover a personal data breach
Under the UK General Data Protection Regulation (UK GDPR), one of the key obligations is to report certain personal data breaches to the Information Commissioner’s Office (ICO) without undue delay (and within 72 hours, where feasible).
With this in mind, we take a look at what to do when you learn of a personal data breach, with a focus on how to decide whether you must make a report to the ICO, what to tell the ICO if you do report a breach and when you need to report the breach to the affected individuals as well.
What is a personal data breach?
The UK GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
This broad definition means that personal data breaches are very easy to commit. Common examples could include a misdirected work email containing an employee’s personal contact details, an external computer hack, or a stolen mobile phone. However, a breach may not always be as obvious as that. For example, an employer providing an overly detailed occupational reference, which volunteers information that is irrelevant to the job in question such as details of the applicant’s health, could amount to a personal data breach.
Identify whether the breach must be reported to the ICO
It is important to note that you do not need to report personal data breaches to the ICO if they are unlikely to result in a risk to the rights and freedoms of individuals. However, a personal data breach that is likely to result in such a risk must be reported to the ICO without undue delay (and, where feasible, within 72 hours of the controller becoming aware of it).
The European level guidance on breach reporting requirements provides some criteria that you can consider when assessing risk, to help you decide whether you need to report the breach to the ICO. (Although the UK has left the EU, the ICO has confirmed that it still considers the European level guidance on the EU GDPR as it applied in the UK before Brexit to provide useful insights for controllers in the UK when they are applying the UK GDPR now.) The criteria set out in that guidance for assessing the risk involved in a personal data breach include:
- the type of breach;
- the nature, volume and sensitivity of the data in question;
- the severity of consequences for individuals and their vulnerability; and
- the number of people affected.
While some personal data breaches will be obviously reportable, such as breaches involving the loss or theft of special category data (e.g. health data), others will be more borderline. For example:
- where an employee loses a company mobile phone containing personal data, whether the company’s IT department can remotely disable the phone, and whether the data is encrypted and password protected, could make a difference when deciding whether the loss of the phone is likely to result in a risk to the rights and freedoms of individuals such that it is necessary to report it to the ICO as a reportable personal data breach.
Note that the requirement to report covers personal data breaches relating to both personal data that you control and/or process (e.g. personal data stored in your company electronic systems or manual files) and also personal data processed by a third party processor (e.g. a payroll provider) on your behalf.
If a personal data breach was caused by a third party processing personal data on your behalf, the processor must notify the breach to you without undue delay. However, you are solely responsible for notification of the breach to the ICO and to affected individuals if applicable (see below).
Report within the deadline and include relevant information
As noted above, you must notify reportable personal data breaches to the ICO without undue delay (and within 72 hours, where feasible). The 72 hour timeframe for reporting a personal data breach to the ICO does not differentiate between working and non-working hours. If you become aware of the breach on a Friday afternoon, the 72 hours would expire on the subsequent Monday afternoon. You should therefore ensure that you have systems in place to facilitate out of hours reporting if necessary.
The notification must describe the nature of the personal data breach, including categories and approximate number of data subjects and personal data records concerned, likely consequences of the breach, and measures that you have taken (or that you will take) to address it. It must also provide a point of contact for the ICO should they require further information.
If you do not have all of the required information about the personal data breach within the 72 hour timeframe, you should not delay notification until the outstanding information is available. You should notify the ICO within the deadline, providing as much information as possible and explaining the reasons for the delay. You can then provide the remaining information in phases, without undue further delay, as it becomes available.
Keep internal records of any decision not to report a breach
If you decide not to notify the ICO of a personal data breach, you must keep a clear record of your risk assessment in order to satisfy the requirement for accountability that applies under the UK GDPR. The inclusion of detailed reasoning will be particularly important where a case is borderline, or the assessment of the damage feels particularly subjective, as the ICO can demand to see your internal breach records in order to verify your compliance with your breach reporting obligations.
Inform affected individuals about high-risk breaches
As well as reporting to the ICO, where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must report the breach to affected individuals without undue delay.
The only exceptions are where:
- you had applied appropriate technical and organisational protection measures to the data affected by the breach (e.g. leaked data was encrypted so should be unintelligible to anyone who does not have authority to access it);
- you have taken subsequent measures to ensure that the risk to individual rights is no longer likely to materialise; or
communicating to each affected individual would involve disproportionate effort – in such cases, a public statement will be required instead. (In the employment context,
- you are probably unlikely to be able to rely on the ‘disproportionate effort’ exemption to avoid having to notify existing employees of a personal data breach, but you may possibly be able to do so in respect of ex-employees).
Take additional steps to limit adverse effects and reduce future risk
As well as assessing whether a breach is reportable, once you become aware of a breach, you will immediately need to consider how to limit any potential adverse effects on the individuals whose data has been compromised, as well as any damage, including reputational damage, to the company. Depending on the nature of the breach, you may also be facing enforcement action by the ICO.
The next step is to consider what action is needed to reduce the risk of a similar breach happening again. Although in practice not all breaches can be prevented, reviewing the results of your investigation into a breach can help you to identify practical steps you can take to lessen the chances of a similar incident happening again.
If you do not already have one, we strongly recommend putting a breach reporting procedure in place. Such a procedure should set out the steps to take when a potential personal data breach is discovered. It would provide guidance for staff on when a breach should be reported to the ICO and to affected individuals, specify what is required by way of internal record-keeping and set out key steps to take to manage the fallout following a breach.
How we can help
Make UK member companies can access further information on their personal data breach reporting obligations here and can speak to their regular adviser for guidance on their particular circumstances.
Our team of expert HR solicitors, lawyers and consultants can provide advice to non-members on a consultancy basis, on both data breach reporting obligations and broader UK GDPR compliance requirements, supporting you with training to build the right level of data protection knowledge within your organisation and providing hands-on support for complex data protection issues.
We also offer a suite of essential UK GDPR template documents for HR. This set of legally drafted template policies, notices, forms and supporting guides (which includes a guide to handling personal data breaches) will help you easily and confidently meet the requirements of the law.