Under the General Data Protection Regulation (GDPR) you have just 72 hours to report notifiable breaches. Organisations need an effective process to help make swift decisions and justify any agreed outcomes to the regulator.
Breach notification requirements have been in place for years for some organisations. But it will be new to many organisations and the right course of action isn’t always that clear cut. To protect your business you should create a risk assessment framework to determine the facts surrounding the breach, its scale, the nature of the information involved and the possible effect on the people the information is about.
So what does this mean for you?
In the event of a data breach which is reported to the ICO, you could receive a very large fine. But you can face the same level of fine for failing to tell the regulator about a notifiable breach. This dilemma is compounded by the fact that it is often far from clear whether a breach is notifiable or not.
What breaches should you report?
The default position under the GDPR is that all breaches of personal information should be reported to the regulator unless they are “unlikely to result in a high risk to the rights and freedoms of natural persons”. In some cases, you will also have to notify the individuals affected.
The issue here is that the threshold for reporting - ‘high risk’ – can be difficult to apply in practice. Even as case-law and regulators’ guidance develops, in many cases it will still be unclear whether a breach has to be notified and, if so, who to.
EU data protection regulators have defined a ‘high risk’ breach to mean one which may lead to “physical, material or non-material damage” for affected individuals. Damage may include discrimination, identity theft or fraud, financial loss or damage to reputation, but the sensitivity of the information is also taken into account. Information about someone’s health or sexuality, for example, is likely to be ‘high risk’ and thereforethe regulator should be made aware.
The spectrum of data breaches is also wide, from the trivial (professional details sent to the wrong department in the same company) to the very serious (a customer’s bank details being leaked). But, there is a very grey area in-between the two ends of the spectrum and deciding whether a breach is notifiable requires careful judgement based on the circumstances of a particular case.
Err on the side of caution
If in doubt, it is generally best to ‘come clean’ and notify the ICO and those affected by a significant breach. This could result in a fine, and/or reputation damage and possibly customer complaints.So this decision needs careful – and quick – consideration.
If your company does decide to notify of a breach you must have a ‘good story to tell’ in terms of establishing an initial outline of the nature and cause of the breach. The regulator will expect a plan to minimise the damage and reduce the risk of it happening again. A ‘we don’t know what happened and haven’t done anything about it yet’ response will not play well.
If you decide not to notify
Even if you decide that a breach is not notifiable, your business needs to enter the breach into a log containing information about any data breach that occurs, even obviously trivial, non-notifiable ones. The ICO website provides a template for creating a breach log and it is important to make sure staff know how to recognise and escalate a data breach.
You should be able to demonstrate risk assessment processes behind the decision not to notify the regulator. Without this, you make yourself vulnerable to accusations that a breach was deliberately withheld to preserve reputation – which would probably be an aggravating factor if the regulator does investigate the breach.
So there’s a lot to consider and just 72 hours to do it in. To protect your business, you must have an effective system in place for making sure all your people with access to personal information know what a data breach is and how to respond if they become aware of one. You also need a process for evaluating and documenting any breaches that do occur.
Admitting that you had a breach, finding out how it happened, doing the right things to prevent a recurrence – eg staff training – is the best that you can do and is what the regulator will expect. It’s also what the people whose personal information you collect – customers, clients, employees – will expect of you.
For more information about data breach notifications and data privacy, please contact Iain Bourne.