Data breaches can occur at anytime. See our previous post for more information on ‘what is a data breach?‘.
Once you have become aware of a data breach, if it is one that is notifiable, you must inform the ICO without undue delay, and where feasible, not later than 72 hours. You also need to assess if you must notify the affected individuals.
You should have internal processes in place to be able to detect and address a breach. It is important that when a breach is detected it is reported upwards to the appropriate level of management so it can be addressed and, if required, notified to the ICO. Such measures and reporting mechanisms could be detailed in your incident response plans and/or governance arrangements. These will help you to plan effectively and determine who has operational responsibility within the organisation for managing a breach and how or whether to escalate an incident as appropriate. You should also have in place arrangements with any processors that you use.
- Information concerning all security-related events should be directed towards a responsible person or persons with the task of addressing incidents, establishing the existence of a breach and assessing risk.
- Risk to individuals as a result of a breach should then be assessed (likelihood of no risk, risk or high risk), with relevant sections of the organisation being informed.
- Notification to the ICO, and potentially communication of the breach to the affected individuals should be made, if required.
- At the same time, you should act to contain and recover the breach.
- Documentation of the breach should take place as it develops.
Assess the risk
Once you have established with a reasonable degree of certainty that a breach has occurred, then you must assess if the breach needs to be reported to the ICO.
Although the GDPR introduces the obligation to notify a breach, it is not a requirement to do so in all circumstances:
- Notification to the ICO is required unless a breach is unlikely to result in a risk to the rights and freedoms of individuals.
- Communication of a breach to the individual is only triggered where it is likely to result in a high risk to their rights and freedoms.
This means that immediately upon becoming aware of a breach, it is vitally important that you should not only seek to contain the incident but it should also assess the risk that could result from it. There are two important reasons for this: firstly, knowing the likelihood and the potential severity of the impact on the individual will help you to take effective steps to contain and address the breach; secondly, it will help you to determine whether notification is required to the ICO and, if necessary, to the individuals concerned.
Risk exists when the breach may lead to physical, material or non-material damage for the individuals whose data have been breached. Examples of such damage are discrimination, identity theft or fraud, financial loss and damage to reputation. When the breach involves personal data that reveals racial or ethnic origin, political opinion, religion or philosophical beliefs, or trade union membership, or includes genetic data, data concerning health or data concerning sex life, or criminal convictions and offences or related security measures, such damage should be considered likely to occur.
Accordingly, when assessing the risk to individuals as a result of a breach, you should consider the specific circumstances of the breach, including the severity of the potential impact and the likelihood of this occurring.
The assessment should take into account the following criteria:
1. The type of breach
The type of breach that has occurred may affect the level of risk presented to individuals. For example, a confidentiality breach whereby medical information has been disclosed to unauthorised parties may have a different set of consequences for an individual to a breach where an individual’s medical details have been lost and are no longer available.
2. The nature, sensitivity, and volume of personal data
When assessing risk, a key factor is the type and sensitivity of personal data that has been compromised by the breach. Usually, the more sensitive the data, the higher the risk of harm will be to the people affected, but consideration should also be given to other personal data that may already be available about the data subject. For example, the disclosure of the name and address of an individual in ordinary circumstances is unlikely to cause substantial damage. However, if the name and address of an adoptive parent is disclosed to a birth parent, the consequences could be very severe for both the adoptive parent and child.
Breaches involving health data, identity documents, or financial data such as credit card details, can all cause harm on their own, but if used together they could be used for identity theft. A combination of personal data is typically more sensitive than a single piece of personal data.
Some types of personal data may seem at first relatively innocuous, however, what that data may reveal about the affected individual should be carefully considered. A list of customers accepting regular deliveries may not be particularly sensitive, but the same data about customers who have requested that their deliveries be stopped while on holiday would be useful information to criminals.
Similarly, a small amount of highly sensitive personal data can have a high impact on an individual, and a large range of details can reveal a greater range of information about that individual. Also, a breach affecting large volumes of personal data about many data subjects can have an effect on a corresponding large number of individuals.
3. Ease of identification of individuals
An important factor to consider is how easy it will be for a party who has access to compromised personal data to identify specific individuals or match the data with other information to identify individuals.
Depending on the circumstances, identification could be possible directly from the personal data breached with no special research needed to discover the individual’s identity, or it may be extremely difficult to match personal data to a particular individual, but it could still be possible under certain conditions. Identification may be directly or indirectly possible from the breached data, but it may also depend on the specific context of the breach, and public availability of related personal details. This may be more relevant for confidentiality and availability breaches.
4. Severity of consequences for individuals
Depending on the nature of the personal data involved in a breach, for example, special categories of data, the potential damage to individuals that could result can be especially severe, in particular where the breach could result in identity theft or fraud, physical harm, psychological distress, humiliation or damage to reputation. If the breach concerns personal data about vulnerable individuals, they could be placed at greater risk of harm.
Whether you are aware that personal data is in the hands of people whose intentions are unknown or possibly malicious can have a bearing on the level of potential risk.
There may be a confidentiality breach, whereby personal data is disclosed to a third party or other recipient in error. This may occur, for example, where personal data is sent accidentally to the wrong department of an organisation, or to a commonly used supplier organisation. You may request the recipient to either return or securely destroy the data it has received. In both cases, given that you have an ongoing relationship with them, the recipient may be considered “trusted”. In other words, you may have a level of assurance with the recipient so that you can reasonably expect that party not to read or access the data sent in error, and to comply with your instructions to return or delete it. Even if the data has been accessed, you could still possibly trust the recipient not to take any further action with it and to return the data to you promptly or to delete it.
In such cases, this may be factored into the risk assessment that you carry out following the breach – the fact that the recipient is trusted may eradicate the severity of the consequences of the breach but does not mean that a breach has not occurred. However, this in turn may remove the likelihood of risk to individuals, thus no longer requiring notification to the ICO or to the affected individuals. Again, this will depend on case-by-case basis.
5. Special characteristics of the individual
A breach may affect personal data concerning children or other vulnerable individuals, who may be placed at greater risk of danger as a result. There may be other factors about the individual that may affect the level of impact of the breach on them.
6. Special characteristics of the data controller (you)
The nature and role of your organisation and your activities may affect the level of risk to individuals as a result of a breach. For example, a medical organisation will process special categories of personal data, meaning that there is a greater threat to individuals if their personal data is breached, compared with a mailing list of a newspaper.
7. The number of affected individuals
A breach may affect only one or a few individuals or several thousand, if not many more. Generally, the higher the number of individuals affected, the greater the impact of a breach can have. However, a breach can have a severe impact on even one individual, depending on the nature of the personal data and the context in which it has been compromised. Again, the key is to consider the likelihood and severity of the impact on those affected.
8. General points
All breaches need to be considered on a case by cases basis.
When assessing the risk that is likely to result from a breach, you should consider a combination of the severity of the potential impact on the rights and freedoms of individuals and the likelihood of these occurring. Clearly, where the consequences of a breach are more severe, the risk is higher and similarly where the likelihood of these occurring is greater, the risk is also heightened. If in doubt, you should err on the side of caution and notify the ICO.All
Data Protection Officer
As part of our DPO service, we provide data protection advice when you have had a data breach. We will notify the ICO and be their contact point and the contact point for the affected individuals. We will take charge of the situation for you so that you can be confident in the way it is being handled and don’t have to worry.