Contained within the General Data Protection Regulation (GDPR) is an obligation to notify the Information Commissioner’s Office (ICO) of a data breach which meets certain criteria:
- The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
- If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
- You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
- You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
(You can read the full guidance here)
This duty is new and is not carried over from the Data Protection Act (DPA). What are the practical implications of this duty and how do they affect you and your business?
What is a data breach?
The ICO defines it thus: “A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data”. Contrary to popular opinion, a data breach doesn’t only occur when personal data is stolen or otherwise acquired in an unauthorised manner. If personal data was rendered unavailable, that could potentially constitute a data breach. If a bank suffered a systems failure that prevented customers from accessing their accounts, that, on a sufficient scale, may constitute a breach under the terms of the GDPR as there is a real risk that customers could suffer loss or harm.
The test for whether or not you have to report a breach is based on risk; the risk that the data subjects whose information has been compromised will suffer some form of hurt or damage. In a simple example, if thousands of medical records were accessed and put into the public domain, that would be a clear risk of harm, and be clearly notifiable. If the same data was maliciously encrypted and held to ransom there would also be a risk to the individuals as the lack of that data to medical professionals could also put the individuals at risk. In both cases, although very different, the breach would have to be notified as there is a demonstrable risk to the individual.
In this case, not only would you have a duty to inform the ICO you would also have to inform the individuals affected by the breach. This could be an onerous activity if many thousands of data subjects are involved and you should be mindful of this when planning potential responses to a breach.
One the other hand, if a company that held personal data used only for marketing suffered a server failure that left it unable to access data, but had a full contemporaneous back up from which they were able to quickly restore the data, they may not be obliged to notify as no appreciable risk attached to the period during which the data was unavailable.
Where a breach is held to be notifiable the ICO would expect you to inform them within 72 hours of the occurrence. They accept that you may not have all the details at that point and you are expected to complete your investigations as quickly as possible, keeping the ICO informed of your findings.
The upshot of this is that companies not only have to take all reasonable steps to secure their systems and data but they need to perform risk assessments in order to understand the potential dangers should a breach occur. This is best done as part of an overall data audit prior to embarking on any changes to meet the requirements of the GDPR. Unless you fully understand the nature of the data you hold and process, and the potential risks to individuals should a breach occur, it is nigh on impossible to put in place appropriate security and procedures to protect that data. At Onestop, this is one of the very first actions we would advise and assist clients with.
Any such audit also needs to take into account any third-parties that you use to process data, under the GDPR you are responsible for ensuring that they too adhere to the requirements. This falls under the heading of vendor management and is another area that Onestop can actively assist you with.
Any data breach carries with it a potential operational impact, a notifiable breach carries the additional risk of reputational damage to the organisation since once notified, the breach effectively becomes public. In such an environment your cybersecurity provisions become even more important.
It is simply beyond the scope of this article to offer comprehensive advice on cybersecurity; what is appropriate, what is necessary will vary markedly between companies.
Since the requirement to notify carries with it a duty to report the circumstances of the breach and the actions taken to mitigate the loss and risk, whatever provision you make must include the ability to derive meaningful reports on any suspicious activity, allied to processes and procedures designed to ensure that a breach is identified and curtailed as quickly as is reasonably possible.
Security is not simply a matter of installing a firewall and anti-malware software, it is a systematic approach that needs to be planned, implemented and regularly tested. The GDPR introduces the concept of “security by design” putting an obligation on organisations to ensure that when designing new systems and procedures for their company that security is an integral part of the design process and not merely an addendum bolted on at the end.
Cybersecurity, like security in general, is a serious subject and getting it right takes time, effort and cost. Getting the right advice, especially as we await the implementation of the the GDPR in May 2018, is more crucial than ever. Onestop IT are specialists in all aspects of the GDPR and can offer advice and assistance to guide you through the necessary steps to ensure your compliance with the new regulations.