When Do You Need to Report a Data Breach Under the GDPR?

As most of you will be aware, the General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Amongst other things, the regulations subject organisations who are deemed to be “data controllers” or “data processors” to a new notification regime for personal data breaches.

When do you need to notify the Information Commissioner’s Office (ICO) of a breach?

Contrary to popular belief, not all data protection breaches will need to be reported to the ICO. After 25 May 2018, it will only be mandatory to report a personal data breach under the GDPR where individuals’ rights and freedoms are likely to be put at risk.

In summary, whether an incident should be reported to the ICO will be determined by the level of risk the breach poses to the people involved.  If it is deemed likely that the there will be a real risk to an individuals’ rights and freedoms, the breach must be reported to the ICO. If this is not the case, it is not mandatory to report the breach.

A personal data breach occurs when an individual’s personal data is lost, destroyed, corrupted or disclosed. Examples of situations where a breach might need to be reported include where someone accesses the data or passes it on without proper authorisation, or where data is made unavailable, for example, being encrypted by ransomware or accidentally lost or destroyed.

If you decide not to report a breach to the ICO, it is vital that this decision can be justified. It is therefore important to ensure that the reasoning behind all such decisions is documented.

When do you need to notify individuals of a breach?

In addition to the obligation to report a breach to the ICO, where a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR imposes an obligation to inform those concerned without delay.

The GDPR imposes a requirement that the nature of a personal data breach is explained to the relevant individual in clear and plain language. The following information should be provided as a minimum:

• The name and contact details of your Data Protection Officer (if applicable);

• If a DPO has not been appointed, details of another relevant contact point who can share further information;

• An overview of the likely consequences for the data breach; and

• An overview of the measures taken to deal with the breach, and where applicable, steps taken to mitigate any possible adverse effects.

What are the timeframes for notifying relevant parties of a breach?

The GDPR imposes a requirement to report the above mentioned data breaches to the ICO, where feasible, within 72 hours of becoming aware of the breach.

As above, where the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also notify the relevant individuals without undue delay.

What happens if you fail to notify the ICO of a breach?

Failure to notify the relevant parties of breach where required to do so can result in a significant fine.

The GDPR give the ICO discretion to impose fines of up to 10 million euros, or 2% of an organisation’s annual turnover – which ever amount is higher.  It is therefore important to ensure that you have a robust reporting process in place so that you can detect and notify a breach as required.

Why do data protection breaches need to be reported to the ICO?

New data protection laws are designed with public policy in mind, with a view to enable regulators to both detect and deter data protection breaches. It is also hoped that the new Regulations will raise levels of security and privacy protection as well as deterring criminal activity.

What next?

As above, you should ensure that you have robust breach detection, investigation and internal reporting procedures in place. This will enable you to effectively decide whether you need to notify the relevant supervisory authority and / or the affected individuals of a breach.

You should also retain a record of any personal data breaches, regardless of whether you are required to notify the ICO.

If an incident occurs, you should be sure to investigate the cause of the breach.  For example, was the breach the result of human error or a technical issue? This will enable you to choose how best to prevent a recurrence.

If you require any advice in relation to GDPR including what steps you can put in place to reduce the risk of a data breach, please contact Farleys Solicitors on 0845 287 0939 or contact us through our online contact form.

Download Your FREE GDPR Checklist

We have created this handy GDPR checklist to check where your business is now in terms of compliance.