Data Breaches

We’ve all heard of big companies losing data or being subject to a cyber-attack, but it can happen to anyone.  A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorised to do so.

The GDPR places a requirement on  organisations  to  notify  the supervisory authority of personal data breaches, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Similarly, organisations must inform individuals where the data breach constitutes a high risk to their rights and freedoms. Definition of a personal data breach is broad, covering accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Notification of breaches to the supervisory authority depends on the likelihood and severity of the risk to individuals.  If it is unlikely that there will be a risk to the rights and freedoms of individuals, then the breach does not have to be reported. If it is likely that there will be a risk, then it must be reported. If a breach is likely to be a high risk to individuals, then they must also be informed about the breach.

In the UK, the ICO is the national supervisory authority, responsible for ensuring compliance with the data protection legislation. If data of other EU residents is affected, then you may also need to engage with other national supervisory authorities. Records must be kept of all personal data breaches, whether or not they meet the threshold for formal notification to the supervisory authority or communication to individuals.

Controllers are responsible for data breach notification i.e. if you have a breach of your recruiter information you are responsible for notifying the ICO. Processors also play an important role in notifying any breach to their Controller to allow them to determine what action needs to be taken. Failure to report a notifiable breach to either the supervisory authority or an individual can lead to a sanction (a fine) on the Controller.

Effective management of a personal data breach requires planning, preparation and understanding of the impacts of a breach on individuals:

Step 1:

Contain the breach - put effective plans in place that will allow you to both contain the risk if a breach does occur and recover from the impact.

• Ensure that there is a main point of contact for employees and any freelance contractors
• Use appropriate technical security measures such as encryption and ensure your processing systems are resilient, regularly tested and updated
• Put steps in place to contain the breach by changing passwords, shutting down computers or halting network traffic

Step 2:

Assess the risks of the breach to determine whether and (if so to whom) you need to report the breach. Remember, that whilst not all risks need to be reported, the greater the likely impact on individuals, the more likely it is that the breach will need to be reported to the supervisory authority.

• Check contractual arrangements to see the time frames that you have for reporting to other parties such as controller clients.

Step 3:

Notify the ICO (if necessary)

• Determine whether notification to the ICO or another competent supervisory authority is required. 

Step 4:

Inform individuals (if necessary)

• Determine whether affected individuals need to be informed about the breach

Step 5:

Document breach.  Document all breaches in your internal breach register regardless of whether you notify the national supervisory authority or individuals. 

Step 6:

Evaluate to prevent repeat breaches. Evaluate and review the effectiveness of the organisational response to the breach.