What GDPR requires following a data breach?
The GDPR has introduced a mandatory breach notification procedure for organisations that suffer certain security breaches that leads to the accidental or unlawful destruction (or loss or disclosure) of personal data. Here are the headline facts.
One of the key changes introduced as a result of GDPR comes under Article 33 - the mandatory 72-hour breach reporting requirement. This requires that, in the event of a personal data breach and where there is likely to be a risk to individuals, data controllers need to notify the appropriate authorities (in the UK, the Information Commissioner’s Office) “without undue delay and, where, feasible, not later than 72 hours after having become aware of it.” You also have to notify affected individuals without undue delay where there is a high risk to their rights or freedoms.
In practical terms this means, under the new GDPR requirements, organisations have just 72 hours to gather all the related information and report data breaches to the relevant authorities.
What sort of breach are we talking about?
The GDPR provides a very broad definition of what they mean by a data breach. It could include permanent or temporary loss or destruction of data, both accidentally or unlawfully, through deleting records deliberately or through errors, losing data through the encryption process, attacks from ransomware, losing passwords or the unauthorized access to or disclosure of personal data.
So whilst it might be relatively easy to identify a security incident as a “breach”, the more difficult analysis is likely to be whether the breach is a notifiable breach. In other words what is the risk to individuals? Identifying and quantifying risk is a very tricky area and we will revisit this in a later blog piece
What information will the ICO expect to see?
Assuming the breach is notifiable, you must provide at least the following information to the ICO:
The nature of the breach - who are we talking about, what has been accessed, by whom, when and how, how the data has been used and the impact of all this.
A record of work done or proposed to be done to address the breach and mitigate adverse effects
A contact name from whom more information can be obtained
An estimation of the impact or consequences of the breach
Any supporting details or evidence
If you are unable to provide all of the above within the required timescales, it may be provided in phases.
You are also required to keep a register of security breaches detailing the facts, effects and remedial action taken.
What needs to be done in advance?
Given the tight timescales it is vitally important that staff who are likely to be involved in managing a security breach (including executive level, IT and security, legal, PR) are aware of their roles and responsibilities. For this to happen there needs to be a data breach policy and regular training (wargaming) on that policy so that everyone knows what they are meant to be doing during what is likely to be an extremely stressful time. As they say in the army - train hard, fight easy.
For more information on this or any other matters related to GDPR please contact us. Breach notification requirements and details are included in our elearning package, produced in partnership with MeLearning. Find our more here.