Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA), any business or organisation which suffers a personal data breach is required to carry out an assessment. Depending on the seriousness, it may be necessary to report a breach to the Information Commissioner’s Office (ICO). In this post, we will explain the circumstances under which it may be necessary to report personal data breaches, how to report them, and we will look at some of the potential consequences.
What is Considered a Data Breach?
The ICO defines a personal data breach as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”
In order to be considered a data breach under the regulations, the data which has been breached should have been of a personal nature; general data which does not relate to an identifiable living individual is not covered under the UK GDPR or DPA.
Data breaches are often caused by a cyberattack. In this case, malicious hackers might target a business and attempt to extract information held, for example, in databases. Alternatively, the organisation may fall victim to a computer virus which is circulating online, inadvertently enabling a trojan horse to automatically gain access to confidential data (when an employee accidentally clicks on a link in a spam email, for example).
That being said, a data breach does not always have to be the result of a cyberattack, or even occur online. There have been several publicised cases where members of staff have forgotten a USB stick or paper files containing personal data on a train or other public places. These are also considered to be data breaches, as are cases where an employee has accidentally emailed confidential files to an unintended recipient who is not authorised to access the personal data inside.
It’s also worth noting that the data does not necessarily need to fall into the wrong hands to be considered a data breach. If an authorised person deliberately or mistakenly alters or deletes personal data improperly, this also contravenes the rules.
How Serious are Data Breaches?
Depending on the circumstances, the ICO may fine any organisation which suffers a data breach up to a maximum of £17.5 million or 4% of its annual global turnover (whichever is higher). British Airways was fined £20 million for infringements of the GDPR in relation to a data breach in 2018 which exposed names, addresses, and payment card details of customers and staff.
In addition to potential ICO penalties, businesses in certain sectors may also have to contend with their own regulatory bodies. For example, law firms which suffer a data breach as a result of failure to implement sufficient cybersecurity measures may face enforcement action from the Solicitors Regulation Authority (SRA).
Furthermore, businesses which are publicly exposed as having incurred a significant data breach will inevitably suffer a certain degree of reputational damage. This can result in loss of clients and potentially missing out on future business opportunities.
Finally, data breaches which involve a cyberattack will result in damage to IT infrastructure, and there will often be extensive work which needs to be carried out to rebuild security protocols, issue new passwords and so on.
What is the Maximum Fine for a Data Breach?
The “higher maximum level” of fine for breaching the UK GDPR is £17.5 million or 4% of its annual global turnover (whichever is higher). This level can apply to infringement of key aspects of the UK GDPR including the data protection principles, the rights of individuals, and provisions relating to the transfer of personal data to third countries.
The “standard maximum level” of fine – which applies to other types of infringement (such as those relating to certain obligations of controllers and processors, and certain obligations of certification and monitoring bodies) – is the higher of £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year.
A number of factors will be considered when deciding whether or not to impose a fine and how much the fine will be. Some key factors taken into consideration will include (note that this is not an exhaustive list):
- The nature, gravity, and duration of the infringement, taking into account the nature, scope or purpose of the personal data processing involved, the number of individuals affected, and the level of damage suffered by them;
- The intentional or negligent nature of the infringement;
- Action taken to mitigate the damage suffered by individuals;
- The degree of responsibility taking account of the technical and organisational measures implemented by the data controller and/or processor involved;
- Previous infringements;
- The degree of co-operation with the ICO in remedying the infringement and mitigating its adverse effects;
- The categories of personal data affected by the infringement;
- The manner in which the infringement became known to the ICO (whether or not the organisation responsible for the breach notified the ICO themselves, for example);
- Compliance with approved codes of conduct; and
- Other aggravating or mitigating factors.
Fines under the UK GDPR must be “effective, proportionate, and dissuasive”. In practice, both of these maximum levels of fine only apply to the largest companies with the most significant infringements, caused by egregious data protection failings. The ICO notes that: “Any penalty that we issue is intended to be effective, proportionate and dissuasive, and will be decided on a case-by-case basis.”
When should a Data Breach be Reported?
Any business which suffers a personal data breach is required to carry out an assessment of the likelihood of any risk to the rights and freedoms of individuals. If a risk is considered to be likely, the data breach should be reported to the ICO.
Who Should You Report a Data Breach To?
The ICO should be notified within 72 hours of awareness of any reportable breach. Follow the ICO’s guidance on breach notification on their website.
In addition to notifying the ICO, any individuals whose data has been involved in the breach should also be personally notified if the breach is likely to result in a high risk to the rights and freedoms of these individuals.
What Processes Should You Have in Place to Report a Data Breach?
Businesses should put in place data breach policies which cover the following steps:
- Initial reporting – there should be a process for staff to report any suspected breach to management.
- Assessment – how a breach is recorded and assessed to determine whether it needs to be reported to the ICO etc.
- ICO reporting – the process for reporting relevant data breaches to the ICO.
- Individual notification – process for reporting data breaches to the individuals involved (where it meets the threshold).
Simply-Docs has a wide array of documents and policies relating to data breaches and other key areas of data protection.
What Happens After You’ve Reported a Data Breach?
Aside from reporting relevant data breaches, organisations will have a lot of work to do following a data breach, particularly where this is the result of a cyberattack.
An investigation should be carried out to find out exactly what caused the data breach. The immediate issues should be resolved, new passwords issued where relevant, and disciplinary action taken if appropriate.
New measures should also be put in place to avoid similar data breaches occurring in future, which may involve updating company policies, upgrading software, and carrying out staff training.