March 16, 2018

GDPR – handling a breach

Author
Author headshot image
Kate Benefer
Partner
View Profile More Articles

How do I prepare to best protect my organisation in the event of a breach?

The best way to prepare is to develop a procedure to follow in the event of a breach and a log to record both the breach and your response to it. In following a calmly thought out procedure you are far less likely to forget something and expose your organisation to a potential fine. The procedure should be available to all staff and easily accessible 24 hours a day, such as on an intranet.

The first step in that procedure should be for an employee to report the concern about a potential breach to the Data Protection Lead in your organisation, with a deputy Lead covering any sickness or holiday absence. The DPL can then follow the remaining procedure in order to determine the seriousness of the breach and whether it needs to be reported. If the steps taken to mitigate the loss of data are recorded, on a pre-planned log, that will provide evidence to the ICO of the steps taken in the event that an investigation is required.

All breaches need to be reported to the ICO, don’t they?

The short answer is no. If a breach is unlikely to pose a risk to the rights and freedoms of the individuals whose data has been lost or stolen then it need not be reported to the ICO. Of course you would still need to determine the extent and cause of the breach and to repair any security issues whatever the position on reporting. It may be that the investigation changes your view of the extent and impact of the breach so it should be investigated as a matter of urgency.

If in doubt contact the ICO to discuss whether or not to make a formal report. Contact will be available via dedicated email or telephone. We recommend advance preparation of the likely scenarios for your organisation in light of the different types of data that you hold and the thresholds for reporting that your organisation deems appropriate.

For most data controllers, it will also be important to include indemnities such that if the data processor causes a data breach, the data processor will pay any losses arising (including any fine imposed by the ICO).

What is the deadline for making the report?

As soon as practicable and in any event no more than 72 hours from your becoming aware of the breach. That does not mean that you can wait until the 71st hour. You must still be able to demonstrate that you made the report as soon as practicable.

What details do I need to provide to the ICO when making a report?

You need to report sufficient information to enable the ICO to determine the urgency of the incident and to speak to your organisation about it. The name of the individual dealing with the matter and their contact details. The nature of the incident, the type of data and the number of data subjects involved. The steps that you have taken to halt or minimise the loss so far and what you intend to do to further minimise the damage and to strengthen data security.

What if I don’t have time to gather all that within 72 hours?

So long as you provide contact details and sufficient information to enable the ICO to determine the urgency of the incident then it is making the report in time that is the key. The ICO states that it will accept a report with the information available at the time with the additional detail to be provided as soon as possible thereafter.

There is a fine for late reporting of a breach in addition to the potential fine for the breach itself. There is also the reputational damage arising from ICO sanctions and publication of the imposition of those sanctions on the ICO website. This impact on your organisation could be far longer lasting.

What else might I need to do?

If the breach is likely to pose a serious threat to the rights and freedoms of the individuals whose data is lost or stolen then you must also report the breach to those individuals. Examples of this type of threat would be the loss of financial information or of data likely to cause damage to that individual’s reputation.

You might also need to report the breach to your insurers, those with whom you share data, any data processors and third parties who might be affected.

There are new criminal penalties being introduced by the forthcoming Data Protection Act, including one for tampering with a subject’s data after they have made a request to access that data. There are also new civil causes of action for individuals who believe that their data rights have been infringed. You need to be mindful of these additional risks when preparing to be GDPR compliant.

Share on:
View more articles