Under the current data protection framework in the UK only some data controllers are placed under an obligation to notify the Information Commissioner’s Office of data breaches. That will change on 25 May 2018 when the General Data Protection Regulation (“GDPR”) becomes applicable. Under the GDPR all data controllers will be required to report certain types of data breaches to the Supervisory Authority (the Information Commissioner in the UK); it will also place an obligation to report some breaches to the affected data subjects.
What breaches need to be reported to the ICO?
It should be stressed that the provisions in the GDPR regarding notification of breaches apply to all data controllers. If you’re a data controller that isn’t presently under an obligation to report data breaches then it is important that you prepare for having to comply with this requirement. The timescales for reporting a breach to the ICO are tight.
A personal data breach is defined in the GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
All personal data breaches will require to be reported to the ICO, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Therefore, only the most minor of personal data breaches will not require to be reported. The obligation is on the data controller to decide whether or not the breach meets the threshold to be reported and equally, the obligation on being able to justify why a personal data breach did not need to be reported falls on the data controller.
When do I need to report the breach to the ICO?
The GDPR requires that personal data breaches which require to be brought to the attention of the ICO need to be reported without undue delay and, where feasible, not later than 72 hours after the data controller becomes aware of it. Where the ICO is notified of the breach more than 72 hours after the data controller became aware of it, the data controller must explain the delay when making the report.
It is likely that only the most exceptional of justifications will be accepted when reporting a data breach outside of the maximum window of 72 hours. This is because the data controller does not need to supply all of the required information to the ICO at the same time; the data controller can pass on information as they become aware of it. This means that data controllers should not delay the notification of the breach until after the conclusion of internal investigations.
When do affected data subjects require to be notified of a data breach?
The GDPR requires that affected data subjects be notified of a breach in certain circumstances; although it will likely be considered good practice to notify affected data subjects about most breaches, even when there is no legal obligation to do so. The threshold for telling affected data subjects is higher than the threshold for reporting personal data breaches to the ICO; not all breaches reported to the ICO will need to be reported to the affected data subjects.
Affected data subjects require to be told of the data breach where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. Affected data subjects should be told without undue delay.
Are there any Exceptions?
The Data Protection Bill, which has now started its journey through the parliamentary process, proposes that the obligations under Articles 33 (requirement to notify the Information Commissioner of a personal data breach) and 34 (requirement to notify data subjects of a personal data breach) will not apply where exemption is required for either (a) the prupose of safeguarding national security; or (b) defence purposes.
Clause 25 makes provision for a member of the Cabinet, the Attorney General or the Advocate General of Scotland to certify “that exemption from all or any of the provisions listed in section 24(2) is, or at any time was, required in relation to any personal data for the purpose of safeguarding national security” and that such a certificate is “conclusive of that fact”, although there will be a right to appeal such a certificate to the First-Tier Tribunal (Information Rights) who shall be required to apply the same principles as would apply to a claim or petition for judicial review.
The GDPR provides for financial penalties for (a) not reporting a personal data breach to the ICO when notification was required; (b) delays in reporting the personal data breach to the ICO; and (c) failure to notify affected data subjects when there was a requirement to do so. The financial penalties can be significant – potentially up to €10m or 2% of global turnover, whichever is greater.
It is far too early to say anything about the level of penalties that might be imposed by the ICO and in what circumstances they will make use of these powers. The power exists and data controllers should be aware of the power to impose administrative fines, but it is probably best not to think too much about the maximum penalties. I have already published a blog post which covers the subject of administrative fines under the GDPR, which you can read here.
What to do?
It’s going to be important for data controllers to have robust policies and procedures in place around personal data breaches. These will need to cover identifying personal data breaches, what to do when a personal data breach has been identified and the reporting and monitoring of personal data breaches. It will also be essential to ensure that there are sufficient resources in place to ensure that reports are made to the ICO in time; someone being on holiday or off sick is unlikely to be considered sufficient justification for a delay in reporting a personal data breach (especially in medium sized and large organisations).