Accredited Member Employees

Corporate Accreditation

Accredited Member Employees

Corporate Accreditation

Accredited Member Employees

Corporate Accreditation

What is a data breach?


A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

What Breaches need to be reported?

Although there is no legal obligation for data controllers to report breaches of security which result in loss, release or corruption of personal data, the Information Commissioner believes serious breaches should be brought to the attention of his Office. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the DPA.
‘Serious breaches’ are not defined. However, the following should assist data controllers in considering whether breaches should be reported:

The potential detriment to data subjects:

The potential detriment to individuals is the overriding consideration in deciding whether a breach of data security should be reported to the ICO. Detriment includes; Emotional distress as well as both physical and financial damage.

  • Ways in which detriment can occur include:
    • Exposure to identity theft through the release of non-public identifiers, eg passport number;
    • Information about the private aspects of a person’s life becoming known to others, eg financial circumstances.
The extent of detriment likely to occur is dependent on both the volume of personal data involved and the sensitivity of the data.
  • Where there is significant actual or potential detriment as a result of the breach, whether because of the volume of data, its sensitivity or a combination of the two, there should be a presumption to report.
  • Where there is little risk that individuals would suffer significant detriment, for example, because a stolen laptop is properly encrypted or the information that is the subject of the breach is publicly available information, there is no need to report.
  • The volume of personal data lost / released / corrupted
There should be a presumption to report to the ICO where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm. It is difficult to be precise about what constitutes a large volume of personal data. Every case must be considered on its own merits.

How do I report a data breach?

Our helpline can offer you advice about what to do after you have experienced a personal data breach, including how to contain it and how stop it happening again.
We can also advise about whether you need to tell the relevant authority and any data subjects involved.

What information will I need to provide?

When you phone, we’ll ask you questions about:
  • What has happened;
  • When and how you found out about the breach;
  • The people that have been or may be affected by the breach;
  • That you are doing as a result of the breach; and
  • Who we should contact if we need more information and who else you have told.
  • Breaches under GDPR / Data Protection Act 2018
The new regulations introduce a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
You must also keep a record of any personal data breaches, regardless of whether you are required to notify.

Checklists

Preparing for a personal data breach

We know how to recognise a personal data breach.
  • We understand that a personal data breach isn’t only about loss or theft of personal data.
  • We have prepared a response plan for addressing any personal data breaches that occur.
  • We have allocated responsibility for managing breaches to a dedicated person or team.
  • Our staff know how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.
Responding to a personal data breach
  • We have in place a process to assess the likely risk to individuals as a result of a breach.
  • We know who is the relevant supervisory authority for our processing activities.
  • We have a process to notify the ICO of a breach within 72 hours of becoming aware of it, even if we do not have all the details yet.
  • We know what information we must give the ICO about a breach.
  • We have a process to inform affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms.
  • We know we must inform affected individuals without undue delay.
  • We know what information about a breach we must provide to individuals, and that we should provide advice to help them protect themselves from its effects.
  • We document all breaches, even if they don’t all need to be reported.
What is a personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
Recital 87 of the GDPR makes clear that when a security incident takes place, you should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required.

What breaches do we need to notify the ICO about?

When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.
We can help you to consider and document that decision.
In assessing risk to rights and freedoms, it’s important to focus on the potential negative consequences for individuals. Recital 85 of the GDPR explains that:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
This means that a breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. You need to assess this case by case, looking at all relevant factors.

What role do processors have?

If your organisation uses a data processor, and this processor suffers a breach, then it must inform you without undue delay as soon as it becomes aware.
If you use a processor, the requirements on breach reporting should be detailed in the contract between you and your processor. For more details about contracts and third parties, contact us.

How much time do we have to report a breach?

You must report a notifiable breach to the ICO without undue delay, but no later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.
Contact us for guidance on what “become aware” actually means.

What information must a breach notification to the supervisory authority contain?

When reporting a breach, the GDPR says you must provide:
  • A description of the nature of the personal data breach including, where possible:
  • The categories and approximate number of individuals concerned; and
  • The categories and approximate number of personal data records concerned;
  • The name and contact details of the data protection officer (if your organisation has one) or another contact point where more information can be obtained;
  • A description of the likely consequences of the personal data breach; and
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

What if we don’t have all the required information available yet?

The GDPR recognises that it will not always be possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. So Article 34(4) allows you to provide the required information in phases, as long as this is done without undue further delay.
Controllers should prioritise the investigation, give it adequate resources, and expedite it urgently. You must still notify us of the breach when you become aware of it, and submit further information as soon as possible. If you know you won’t be able to provide full details within 72 hours, it is a good idea to explain the delay to us and tell us when you expect to submit more information.

How do you notify a breach to the ICO?

We can help you to notify the authority and any affected Data Subjects.
Remember, in the case of a breach affecting individuals in different EU countries, the ICO may not be the lead supervisory authority. This means that as part of your breach response plan, you should establish which European data protection agency would be your lead supervisory authority for the processing activities that have been subject to the breach. For more guidance on determining who your lead authority is, Contact Us

When do we need to tell individuals about a breach?

If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
A ‘high risk’ means the threshold for informing individuals is higher than for notifying the authority. Again, you will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. In such cases, you will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.
If you decide not to notify individuals, you will still need to notify the authority unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms. You should also remember that the authority has the power to compel you to inform affected individuals if we consider there is a high risk. In any event, you should document your decision-making process in line with the requirements of the accountability principle.

What information must we provide to individuals when telling them about a breach?

You need to describe, in clear and plain language, the nature of the personal data breach and, at least:
  • The name and contact details of your data protection officer (if your organisation has one) or another contact point where more information can be obtained;
  • A description of the likely consequences of the personal data breach; and
  • • A description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.

Does the GDPR require us to take any other steps in response to a breach?

You should ensure that you record all breaches, regardless of whether or not they need to be reported to the authority.
Article 33(5) requires you to document the facts relating to the breach, its effects and the remedial action taken. This is part of your overall obligation to comply with the accountability principle, and allows us to verify your organisation’s compliance with its notification duties under the GDPR.
As with any security incident, you should investigate whether or not the breach was a result of human error or a systemic issue and see how a recurrence can be prevented – whether this is through better processes, further training or other corrective steps.

What else should we take into account?

The following aren’t specific GDPR requirements, but you may need to take them into account when you’ve experienced a breach.
It is important to be aware that you may have additional notification obligations under other laws if you experience a personal data breach. For example:
If you are a communications service provider, you must notify the authority of any personal data breach within 24 hours under the Privacy and Electronic Communications Regulations (PECR). You should use our PECR breach notification form, rather than the GDPR process. Contact us if you need help with this.
If you are a UK trust service provider, you must notify the ICO of a security breach, which may include a personal data breach, within 24 hours under the Electronic Identification and Trust Services (eIDAS) Regulation. Where this includes a personal data breach you can use our eIDAS breach notification form or the GDPR breach-reporting process. However, if you report it to us under the GDPR, this still must be done within 24 hours. Please contact us if you need for more information.
If your organisation is an operator of essential services or a digital service provider, you will have incident-reporting obligations under the NIS Directive. These are separate from personal data breach notification under the GDPR. If you suffer an incident that’s also a personal data breach, you will still need to report it to the authority separately, and you should use the GDPR process for doing so.
You may also need to consider notifying third parties such as the police, insurers, professional bodies, or bank or credit card companies who can help reduce the risk of financial loss to individuals.
The European Data Protection Board, which will replace the Article 29 Working Party, may issue guidelines, recommendations and best practice advice that may include further guidance on personal data breaches. You should look out for any such future guidance. Likewise, you should be aware of any recommendations issued under relevant codes of conduct or sector-specific requirements that your organisation may be subject to.

What happens if we fail to notify?

Failing to notify a breach when required to do so can result in a significant fine up to €10 million or 2% of your global turnover and negative publicity. The fine can be combined with the relevant authorities’ other corrective powers under Article 58. So it’s important to make sure you have a robust breach-reporting process in place to ensure you detect and can notify a breach, on time; and to provide the necessary details.

Get in touch