Do you as employer and data controller have to report all personal data breaches to the ICO and/or the data subject? Do your processors need to tell you when they suffer a breach? In this article, we consider the extent of an employer’s obligations.
Security of personal data has been high on the watch-list of employers since the GDPR came into force on 25 May 2018. However mistakes may happen which result in employees’ personal data being lost, stolen or erroneously shared with unauthorised persons.
What is a personal data breach?
A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4(12) GDPR). Incidents such as an unauthorised party accessing personal data, data being sent to an incorrect recipient, data being scrambled, held to ransom, data being unavailable for a material period of time or an unencrypted laptop containing personal data being lost or stolen could therefore be personal data breaches.
Do you have to report a personal data breach to the Information Commissioner’s Office (ICO)?
Yes, data controllers should report breaches if the breach is likely to result in a risk to the rights and freedoms of the data subject. A personal data breach which could result in physical, material or non-material damage to the data subject, such as identity theft, financial loss or loss of confidentiality, will likely have to be reported to the ICO.
Not every personal data breach will necessarily need to be reported to the ICO. How do you decide whether a breach should be reported? There is no clear answer and each breach will need to be considered on its particular facts. The European Data Protection Board recommends that the following factors are considered:
- the type of breach
- the nature, sensitivity and volume of personal data
- ease of identification of individuals
- severity of consequences for individuals
- special characteristics of the individuals
- the number of affected individuals
- special characteristics of the data controller, e.g. a medical organisation.
If you decide that a personal data breach should be reported to the ICO, it must be reported by you as a data controller no later than 72 hours after your organisation becomes aware of the breach. It is therefore important that you investigate a potential personal data breach without delay. Data controllers are expected to prioritise the investigation, give it adequate resources and expedite it urgently.
As well as identifying the cause of the personal data breach and any remedial action required, your investigation should also identify the requisite information that you are required to provide to the ICO when you report the breach, namely:
- the nature of the personal data breach, including the categories and approximate number of data subjects concerned and approximate number of personal data records concerned
- the name and contact details of the data protection officer or other contact point where more information can be obtained
- likely consequences of the personal data breach
- the measures taken or proposed to be taken by the data controller to address the personal data breach, including (where appropriate) measures to mitigate its possible adverse effects.
What about the data subject?
There may be reasons why you would prefer not to tell the data subject about a breach of their personal data. It could give an employee ammunition to use against you or result in the employee raising a grievance about your data security processes. If you have reported the personal data breach to the ICO, do you also have to tell the data subject?
Yes, if the risk to the data subject’s rights and freedoms is a high one, and notification must be done without undue delay. For example, if an employee’s personal contact and banking details have been accidentally shared, the risk to the employee, such as them being left vulnerable to fraud and ID theft, may mean that you have to notify them of the breach. Failing to notify the data subject could result in loss and risk to the individual, have a negative impact on your reputation and cause difficulties with the ICO. If you choose not to notify the data subject of a personal data breach, the ICO could order you to do so in any event.
What if you believe that it is not necessary to notify the ICO or data subject?
If you decide not to notify the ICO or the data subject, you will need to be able to justify your decision. Documenting the reasons for not doing so is therefore essential. It is important to contemporaneously document any personal data breaches, the facts relating to the breach, its effect and any remedial action that you have taken.
Potential consequences of non-compliance
As well as potential risks to the individual and reputational damage to organisations, the ICO also has corrective powers which could be used in response to a personal data breach and/or failure to report.
The ICO could impose a fine of up to EUR10 million or 2% of an organisation’s total worldwide annual turnover (whichever is higher) for non-compliance with GDPR. However, higher fines can be imposed for breaches of certain GDPR provisions. This includes the “integrity and confidentiality” principle whereby companies must ensure appropriate security of personal data and protect against data breaches. A fine of up to EUR20 million or 4% of total worldwide annual turnover, whichever is higher, could therefore be imposed for more serious personal data breaches.
In addition to, or instead of, a fine the ICO could also issue a reprimand, impose a temporary or definitive limitation on your data processing, and/or order the suspension of data flows to a recipient in a third country or international organisation. It can therefore be significantly costly, from monetary and non-monetary perspectives, if you fall foul of your obligations under the GDPR.
If you require any support with addressing personal data breaches or notifying the ICO go to www.shoosmiths.co.uk/data.