GDPR introduced mandatory reporting for certain personal data breaches.  Being aware of what constitutes a breach and when to report to the Information Commissioner’s Office is critical.

If a breach impacts significantly on the rights and freedoms and privacy of data subjects your organisation will only have 72 hours to investigate the extent of the breach and report to the ICO.  In some cases reporting to data subjects is also required.

What is a personal data breach?

The following are examples of personal data breach incidents.

  • Device loss – Loss of portable data storage devices which are used to store personal data
  • Data theft – Theft of data by an employee or contractor
  • Data theft as a result of a successful hacking attack
  • Malware which results in system failure and loss or corruption of personal data
  • Compliance failings for example failing to put in place contracts with subcontractors
  • Data sharing outside of agreed terms in data sharing agreements
  • Human error, for example sending an email to the wrong recipient or attaching unrelated paperwork when putting a printed letter into an envelope
  • System error, for example incomplete mail merging, or mis-matching names and addresses
  • Loss of access to critical records due to flooding for example or IT system disruption exposing data subjects to lack of service in vital areas

Which breaches have to be reported to the Information Commissioner?

Under GDPR personal data breaches are reportable unless it is unlikely that the rights and freedoms of data subjects will be impacted. A risk to just one data subject may be reportable on this basis. To support organisations to decide when to report, the ICO has a help-line for security breach reporting so that organisations can discuss the specific circumstances of a breach and obtain guidance on whether or not it should be reported.

Guidance from the European Data Protection Board (advisory body on data protection to European Commission) about personal data breach reporting under GDPR says:

“You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, resulting in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.”

When to report to data subjects

Under GDPR there is a duty to report security breaches that are likely to result in a high risk to the rights and freedoms of individuals to the individuals themselves so that they can take action to protect themselves from the potential impact of the breach.

The term ‘high risk’ indicates that the threshold for notifying data subjects is higher than for notifying the ICO. The ICO will guide organisations as to whether or not to report a breach to data subjects and how to achieve that.

This and other guidance is included in the Data Protection Consulting Toolkit. Read more about the Toolkit here.