If you have a question you'd like to ask our experts, please get in touch on firstname.lastname@example.org.
Under the GDPR, do I have to report security breaches to a regulator? If so, how do I go about doing this?
Jon Baines, data protection advisor at Mishcon de Reya LLP:
One of the changes introduced by the GDPR is a qualified requirement for data controllers to notify the supervisory authority (the Information Commissioner's Office (ICO)) in the event of a 'personal data breach'.
The requirement does not apply, however, if the personal data breach is 'unlikely to result in a risk to the rights and freedoms' of affected individuals. The ICO says that assessing whether such a risk arises involves considering the potential negative consequences for the individuals – for instance whether discrimination, identity theft or fraud, financial loss or damage to reputation might result.
A 'personal data breach' is defined as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed'. This is obviously quite wide, and given that, until GDPR was introduced, there was no general mandatory obligation to report, it is envisaged that the ICO will be receiving a large number of notifications.
One of the key provisions regarding reporting a personal data breach is that it must be done, where feasible, within 72 hours of the controller becoming aware of it. This clearly presents certain operational challenges and risks, and it will be interesting to see whether action is taken against those controllers who fail to meet this timescale.
In practical terms, the process for reporting is as simple as telephoning the ICO.
Among other things they will want to know: what has happened; when and how you found out; the people that have been or may be affected; and what you are doing as a result of the breach.
Organisations will want to make sure they handle notification of personal data breaches correctly, because if the breach is subsequently found to be a serious infringement of the GDPR, potentially very large fines are available to the ICO.
The GDPR team at Mishcon de Reya comprises data protection experts as well as non-lawyer cyber security specialists. If you would like any advice on how to manage GDPR within your organisation, please contact Jon Baines.
Annemarie Proudfoot, head of customer relations at BestAgent:
Yes, the GDPR requires that you report a breach that is likely to result in a high risk of adversely affecting individuals’ rights and freedoms to the ICO - and to the customers affected - within 72 hours (you can do so here) without undue delay.
You must maintain an internal record of any and all security breaches even when you do not determine that there is a high risk of adversely affecting individuals’ rights and freedoms (i.e. you find it unnecessary to report to the ICO).
Bernard George, solicitor for Socrates Training Ltd:
Prevention is a billion times better than cure. And the key to prevention is mainly staff training. Socrates’ online training includes the key things staff must to keep data secure.
But to answer the question, yes, some data breaches do have to be reported to the Information Commissioner. Chapter and verse on this subject can be found here.
Damon Bullimore, chief information officer at BriefYourMarket.com:
You have to report a notifiable data breach to the ICO within 72 hours.
However, the ICO does note that "[agents]...will need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it."
"However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it."
*If you would like to receive further guidance from any of our GDPR experts, please click here.
Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.
Angels Media Ltd Legal Disclaimer:
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.
While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.