How to Report a GDPR Breach

The General Data Protection regulations have just kicked in in all European Union (EU) Member States. Due to this, if your business or organization employs, trades with, buys or sells to or from an individual or business that involves an EU citizen anywhere in the world your company is subject to rules and penalties.

There are several changes in relation to data protection plans that were introduced before GDPR came into effect.  One of these is personal data breaches.

GDPR aims to protect the personal data of all EU citizens. Thus, any time a breach in personal data occurs, supervisory authorities must be informed. Your business can be heavily fined if it fails to self-report breaches.

What is meant by Personal Data?

Personal data is any information collected from employees, service providers, clients or any other EU citizens with whom your company deals directly or indirectly. Article 4 paragraph 1 spells out who is a data subject. Personal data is described by GDPR Article 4, Paragraph 2.

Personal data includes the reference to the data subject’s identity including:  name, an identification number, residence, work location, and/or online identification. Personal data may also include any or all of: physical, physiological, genetic, mental, economic, cultural or social identity of the data subject.

What is a Breach?

What is a personal data breach? GDPR article 4 paragraph 7 describes data breaches. What actually constitutes personal data is spelled out in Article 4 paragraph 12.

This term refers to a security glitch. A breach can result in the disclosure of personal data of one or more data subjects — employees, clients, tradespeople. It can also result in data being destroyed, modified, altered or lost. Breaches are not just a loss of data. Many more things can happen to the data of a single subject, or even thousands of data subjects.

Why the Concern over Breaches?

Obviously data subjects who agreed to your company’s gathering, processing, storing and using their data expect that only your company will have access to that data. Moreover, they expect that this data will be used only as your company stated it would be used. Finally, they expected the data would be safely stored. Breaches can jeopardize any or all of these expectations.

Besides the concern over penalties which could amount to €20m or 4% of the company’s annual revenue, there is the problem of bad publicity. A company that cannot be trusted to secure personal data is not a business people will want to work with. Customers may mistrust the organization and stop doing business with it.

Companies are worried that failure to comply with reporting a breach may bankrupt them. They are also concerned that reporting breaches may result in loss of public confidence in the enterprise.

How Does Your Company Report a Breach?

If a breach is discovered, your business has only 72 hours from the time of its discovery to report it to the GDPR supervisory authority. As some breaches may not be able to be investigated thoroughly within seventy-two hours, information may have to be given in stages.

Who Reports the Breach?

First the breach needs to be reported immediately by the employee(s) who discovered it. These breaches are usually reported to your business’ Data  Controller or Data Protection Officer. Your company should have a clear plan for reporting breaches. All employees should know the procedures.

Frequent reviews of the reporting procedure should occur so employees are reminded of those reporting obligations and procedures. The Data Controller or Data Protection Officer then fills out reporting forms, investigates the data breach and forwards the report to the designated GDPR supervisory authority.

When must Data Subjects Affected by this Breach be Informed?

The risk of the breach is a factor regarding how quickly those whose data was breached are informed. If the data is sensitive and/or there is a high risk to the data subjects’ rights and freedoms they must be told of the breach immediately.

The need to notify data subjects might outweighs the need to notify the GDPR supervisory officer in charge of breach reporting.

The Task of the Data Processor in Reporting a Personal Data Breach

Your business must have designated Data Processor (s) under Article 33 paragraph 2. Your company’s Data Processor works under the supervision of the company’s Data Controller. If a breach occurs, the Data Processor is obligated to report it to the company’s Data Controller under Article 33 paragraph 2. This reporting must occur immediately. The Data Controller is the person designated by your organization under Article 4 paragraph 8. He/she determines how data is collected, stored, secured and used.

Personal Data Breach Reporting By a Data Controller

Your company’s Data Controller must notify the competent supervisory authority of a personal data breach within 72 hours after the Data Processor reports it to the Data Controller. However, Article 33 paragraph 1 describes instances where the reporting of a breach might not be considered likely to result in a risk to the data subject’s rights.

So first the company’s Data Controller must determine the risk involved in the breach. Things to consider include:

  • How serious is the breach?
  • What are the potential risks?
  • How sensitive is the personal data?

What is the likely impact on the data subject’s rights and freedoms?

GDPR guidelines have been issued by the European Union Agency for Network and Information Security (ENISA). Included are recommendations for the way Data Controllers should assess the severity of a breach.

Criteria for assessing the risk of the breach include:

  • What type of breach occurred?
  • How much data is affected?
  • How many data subjects are affected?
  • How sensitive is the data?
  • How quickly and/or easily can data subjects be identified?
  • What are the consequences of the breach for data subjects?
  • Are there special characteristics of the data subjects?

Under Article 33 paragraph 4, the Data Controller is obligated to report the breach in as much detail as possible and to provide additional details as soon as possible.

If this notification by the Data Controller is not made to the GDPR supervisory authority within 72 hours, he/she must give reasons for the delay. Possible reasons for an acceptable delay are spelled out in Article 33 paragraph 1.

If after examination the Data Controller is unsure whether to report the breach, he/she should always err on the side of reporting the breach. There is no penalty for reporting something that need not have been reported. An unreported breach that should have been reported may result in hefty fines.

Data Controller’s Report

The Data Controller may use the convenient template for reporting a breach provided by GDPR. The information required for reporting includes:

  • Data Controller’s name and contact details
  • Name and contact details of the company’s Data Protection Officer
  • Any other contact people (e.g., Data Processor) who can furnish more information.
  • Description of the personal data breach: whose data is involved; degree and extent of the breach; number of data subjects involved; volume of personal data records.
  • Data Controllers are encouraged to hypothesize the likely consequences of the beach.
  • Descriptions of steps to address the personal data breach and/or to mitigate negative effects of the breach
  • Justification for not reporting as outlined in Recital 88.
  • Steps taken to inform data subjects of the personal data breach
  • Measures taken to guard the security of personal data (e.g., encryption)
  • Steps taken to ensure high risk materials were protected.
  • Clear communication of personal data breach with Data Protection Officer’s contact details, where data subjects might gain additional information about the breach.

In light of high profile data breaches like the one Facebook has recently experienced, it is anticipated that GDPR compliant companies will need to be even more diligent in ensuring that all data breaches of personal data are reported and a clear process for reporting, informing data subjects and meticulous follow up is completed.

Lawyers speculate that the new GDPR regulations will vastly change how businesses view and react to personal data breaches. They advise companies to have a thorough understanding of the regulations and have in place an iron-clad plan for dealing with data breaches.

They also recommend that every company increase the quantity and quality of their security to prevent such data breaches.

A final consideration in ensuring that breaches are reported is education of employees. Particularly Data Processors but all employees who have anything to do with personal data need to know the company procedures for reporting personal data breaches. Preparedness and information are key components to being GDPR compliant.