The GDPR introduced the requirement for a personal data breach to be notified to the ICO and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach.
You should plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, to determine whether it is necessary to notify the ICO, and to communicate the breach to the individuals concerned when necessary
As part of any attempt to address a breach, you should first be able to recognise one. The GDPR defines a “personal data breach” in Article 4 as:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
What is meant by “destruction” of personal data should be quite clear: this is where the data no longer exists, or no longer exists in a form that is of any use to the controller.
“Damage” should also be relatively clear: this is where personal data has been altered, corrupted, or is no longer complete.
In terms of “loss” of personal data, this means that the data may still exist, but you have lost control or access to it, or no longer have it in your possession.
Finally, unauthorised or unlawful processing may include disclosure of personal data to (or access by) recipients who are not authorised to receive (or access) the data.
Types of personal data breaches
Breaches can be categorised according to the following three well-known information security principles:
“Confidentiality breach” – where there is an unauthorised or accidental disclosure of, or access to, personal data.
“Integrity breach” – where there is an unauthorised or accidental alteration of personal data.
“Availability breach” – where there is an accidental or unauthorised loss of access15 to, or destruction of, personal data.
It should also be noted that, depending on the circumstances, a breach can concern confidentiality, integrity and availability of personal data at the same time, as well as any combination of these.
Whereas determining if there has been a breach of confidentiality or integrity is relatively clear, whether there has been an availability breach may be less obvious. A breach will always be regarded as an availability breach when there has been a permanent loss of, or destruction of, personal data.
Therefore, a security incident resulting in personal data being made unavailable for a period of time is also a type of breach, as the lack of access to the data can have a significant impact on the rights and freedoms of natural persons. To be clear, where personal data is unavailable due to planned system maintenance being carried out this is not a ‘breach of security’ as defined in Article 4.
The possible consequences of a personal data breach
A breach can potentially have a range of significant adverse effects on individuals, which can result in physical, material, or non-material damage. The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals.
Accordingly, the GDPR requires you to notify a breach to the ICO, unless it is unlikely to result in a risk of such adverse effects taking place. Where there is a likely high risk of these adverse effects occurring, the GDPR requires you to communicate the breach to the affected individuals as soon as is reasonably feasible.
If you fail to notify either the ICO or data subjects of a data breach or both even, then the ICO may impose sanctions. It is also important to bear in mind that in some cases, the failure to notify a breach could reveal either an absence of existing security measures or an inadequacy of the existing security measures. In that case, the ICO could issue sanctions for failure to notify or communicate the breach on the one hand, and absence of (adequate) security measures on the other hand, as they are two separate infringements.
However, depending on the circumstances of the breach, it may or may not require notification to the ICO and communication to affected individuals. You will need to assess the likelihood and severity of the impact on the rights and freedoms of natural persons as a result of the breach. In accordance with Article 33, you will need to notify unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. Of course, this will need to be assessed on a case-by-case basis. Read our post on ‘When do you report a data breach?‘ for more information.