The ICO have recently released the latest in their series of blogs seeking to provide clarity around key topics of the General Data Protection Regulation and dispel any associated myths.
The latest topic in this ‘myth-buster’ series is data breach notifications (https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/breach-notification/) and the attention-grabbing headlines that have been circulating on this subject. For example:
- All personal data breaches will need to be reported to the ICO.
- All details need to be provided as soon as a personal data breach occurs.
- If you don’t report in time a fine will always be issued and the fines will be huge.
- Data breach reporting is all about punishing organisations.
When to notify
Essentially the ICO blog states organisations who are data controllers are under an obligation to notify the supervisory authority in all instances where there is a ‘likelihood of risk’ to an individual’s rights and freedoms. There is also a further obligation to directly notify the affected individuals in instances where any breach is likely to result in a ‘high risk’ to those persons. By contrast, where there is little risk to an individual (ie the breach is unlikely to result in harm to people’s rights and freedoms) there is no obligation to notify a supervisory authority.
Likelihood of risk
Examples of this might be where an individual’s ID documents or bank account information are compromised and the chance of ID theft or fraud is therefore magnified, or where individuals would experience discrimination or disadvantage as a result from the breach. The specifics of what might be determined as likelihood of risk, or indeed high risk, to individuals is better explained in the ICO’s overview of the GDPR (https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/breach-notification/) but certainly the quantity of data breached, as well as the content (whether extensive, sensitive or special data), context and degree of protection afforded to it (encryption, security measures) will all be key to establishing this.
Although not specifically covered in the ICO blog, there does not appear to be any equivalent discretion with regard to the requirement for data processors to report breaches. Therefore, regardless of the likelihood of harm materialising from any incident, a data processor should always notify the data controller. Although this type of notification is mandatory it may be advisable as a business to ensure data processors commit to such notification in contract, especially when they are based outside of the EEA.
What to notify
In terms of pragmatism, guidance in the blog states the ICO do not expect organisations will have all the details of a data breach at hand straight away when making a report. However, what is expected is that the organisation will make the ICO aware of the existence of a relevant breach within 72 hours, and provide certain mandatory information key to explaining the situation. Organisations will be able to add ‘meat to the bones’ later, addressing the full extent of the breach and any corresponding details of related investigation(s). Importantly, the ICO will require an explanation should organisations fail to meet the 72-hour time limit associated with initial notification and can levy fines in response to any such failures.
The ICO finish the blog by informing organisations the reporting requirement associated with data breach is not there to punish organisations, but instead to ensure individual data subjects are confident their personal information is treated appropriately and that infringement is met by investigation.
The logic is clear: if organisations are required by law to notify supervisory authorities in all instances of a ‘relevant’ data breach, they will be more likely to take steps to avoid situations which might give rise to such notifications. For example, by embracing the concept of ‘privacy by design’ and constantly working to improve process, thereby reducing both the likelihood of a breach and the associated risk towards individuals.
Although punishment is not the primary objective, sanctions will necessarily follow where appropriate and necessary. In such circumstances, the ICO will take into account a number of key factors. On the one hand: culpability, poor practice and a negligent or reckless approach. On the other hand: steps taken by the organisations to mitigate the chance of breach, the damage felt as a result of a breach, and the administrative steps taken by the organisation to ensure appropriate parties were notified.
Awaiting further updates
It is perhaps key to mention the Article 29 Working Party has yet to provide final guidance on data breach notification. Nonetheless, it is not anticipated there will be any significant departures from the concepts outlined in the ICO blog, other than increased clarity.