Handling a data breach
The GDPR introduces a duty on data controllers to report certain types of data breach to the ICO (or other relevant supervisory authority) and in some cases to the data subjects affected.
A data breach is not just the loss of personal data. It can include any breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Data processors are also under a duty to report personal data breaches to data controllers without undue delay and data controllers must maintain an internal breach register.
Notification to the ICO (or other supervisory authority)
The ICO or other supervisory authority needs to be notified of a personal data breach where the breach is likely to result in a risk to the rights and freedoms of the data subjects (for example, if the breach were not addressed it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage).
Data controllers will need to assess the severity of the breach and whether it needs to be notified on a case by case basis. Where notification is required it needs be done without undue delay and, where feasible, not later than 72 hours after the data controller becomes aware of it.
Notification to the data subjects
Where a personal data breach is likely to result in a high risk (rather than just a risk, which is the threshold of notification to the ICO) to the rights and freedoms of the data subjects, the data controller must notify those data subjects directly. This notification should take place without undue delay.
Information to be included in the notification
The following information should be included in the personal data breach notification:
- Nature of the personal data breach
- Categories and approximate number of individuals concerned
- Categories and approximate number of personal data records concerned
- Description of the likely consequences of the breach
- Description of the measures taken, or proposed to be taken, to deal with the breach / mitigate any possible adverse effects
- Contact details of the data controller’s Data Protection Officer / main point of contact for dealing with the breach