A personal data breach is defined by the ICO as "a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data." This means that a breach is more than just losing personal data.
By way of example, an employer could be subject to a data breach is an employee's employment record is inappropriately accessed by a person without authority.
A data controller only has to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. This means where, if the breach is not addressed, the breach is likely to have a significant detrimental effect on individuals – for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Whether or not this threshold is met has to be assessed on a case by case basis. In most cases, at least in the early years of implementation of GDPR, it is likely that businesses will be advised to notify the ICO where there is any doubt about whether the threshold is breached. In addition to the obligations of GDPR, there is a risk of substantial repetitional damage where a business fails to notify the regulator of a data breach. Uber came under much criticism in later 2017 for the disclosure that it omitted to notify regulators of a data breach that had occurred several years earlier.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly.
A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the ICO.
There is a carve out from the obligation to notify data subjects where it would impose unreasonable hardship. Having said that, in most cases, this exclusion will not apply.
A breach notice must set out the nature of the personal data breach including, where possible:
(i) the categories and approximate number of individuals concerned; and
(ii) the categories and approximate number of personal data records concerned.
The name and contact details of the data protection officer (if the business has one) or other contact point where more information can be obtained.
A description of the likely consequences of the personal data breach.
A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.
A notifiable breach has to be reported to the ICO within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases.
If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.
Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of the business' global turnover.
You should make sure that your staff understand what constitutes a data breach, and that this is more than a loss of personal data.
You should ensure that an internal breach reporting procedure is in place. This will facilitate decision-making about whether you need to notify the ICO and/or the public.
In light of the tight timescales for reporting a breach - it is important to have robust breach detection, investigation and internal reporting procedures in place.