Updated: Feb 27
The General Data Protection Regulations arrived during late May 2018. They tightened up existing data protection regulations, taking the online world into account for the first time. So what happens if your organisation suffers from a personal data breach, where customer data has been breached, lost, stolen, or used in ways the individuals concerned didn't give you permission for?
When and how can you report personal data breaches under the GDPR? Here's what you need to know.
Vital information – GDPR in a nutshell
You have a duty of care to report certain types of personal data breach to the right supervisory authority
You must do so within 72 hours of becoming aware of the breach, unless you have an extremely good reason not to
If the breach involves a high risk of adversely affecting individuals’ rights and freedoms, you must let them know 'without undue delay'
You should create strong breach detection, investigation and internal reporting procedures
You must keep records of every personal data breach, whether or not you need to notify the ICO about it
Reporting personal data breaches to the Information Commissioner's Office
According to the Information Commissioners Office, a personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
If your business suffers a personal data breach, it's important to think about the risks the breach poses to people, if any. How likely is it that the breach will affect people's rights and freedoms afterwards? If it's likely you'll need to inform the ICO. If it's unlikely, you don't need to report the breach to the ICO.
While there's no need to report every single incident to the ICO, it's really important to understand when you do need to.
Defining personal data breaches
A personal data breach might involve data access by an unauthorised third party, or the deliberate or accidental action (or inaction) by a data controller or processor. It can mean sending personal data to the wrong recipient, or the theft or loss of computing devices containing personal data. It can involve data being altered without someone's permission, or data that simply isn't available when and where it should be. As quoted on the ICO website:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
How can you tell if a breach is risky enough to report?
The ICO has provided a self-assessment tool to help you pin down whether your organisation needs to report to the ICO. It takes about 2 minutes to make your own assessment and you can do it here.
If your organisation has already made an assessment and decided the breach should be reported, there's a special Personal Data Breach Helpline number to call, staffed by experts who will advise you about what to do next, how to contain the problem, ways to prevent a recurrence, and whether you need to tell the data's subjects, the people whose data it is, about the breach.
How quickly must we report a breach?
You should report notifiable breaches to the ICO 'without undue delay', but they qualify that by saying 'not later than 72 hours after becoming aware of it'. If you take longer than this, you must be prepared to explain why it took so long.
The ICO Personal Data Breach Helpline is open Monday to Friday, 9am to 5pm.
What information does the ICO need?
The ICO's helpline experts will ask you about what's happened. They'll want to know when and how you found out about the breach, and which groups of people have been affected by it. They'll ask you what you are doing as a result of the breach, who else they need to contact for more information – if anyone – and who else you have told about it.
The nature of the breach
The categories of people involved
The approximate number of people involved
The name and contact details of your data protection officer
If you don't have one, a contact name for more information
The likely consequences
The measures you have taken - or propose to take - to mitigate any adverse effects
It's your job to provide accurate information to the right level of detail. The ICO will send you a copy of the information you've given them.
Reporting data breaches online
If you have a reportable breach but you're fully confident you've already dealt with it properly, you can report it online via a special form. The same goes if you are still investigating and plan to provide more information later on. The ICO's online form is also perfect for reporting breaches outside the usual office opening hours.
When reporting a breach online, make sure to include the telephone number of someone who knows what has happened, so the ICO can ask questions if necessary. If you struggle with the questions asked in the form or want to talk to an expert about managing a breach, you can call the ICO on 0303 123 1113.
What happens if you don't tell the ICO about a reportable breach?
If you fail to notify a breach that you need to report, you can be fined as much as 10 million euros or 2% of your global turnover.
For the fine detail plus examples, visit the relevant ICO page.
If you still have questions about the GDPR and your role as a company that collects, stores and/or uses personal data, we'll be delighted to help.