Personal data breaches and notification requirements

Under the Data Protection Act 2018 personal data must be:

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’ principle)

A personal data breach must be notified by:

  • The controller to the ICO within 72 hours of becoming aware of a personal data breach (unless the breach is unlikely to result in a risk for the rights and freedoms of individual(s) affected by the breach)
  • The controller to the affected individual(s) without undue delay (unless the breach is unlikely to result in a high risk for the rights and freedoms of those affected individual(s))
  • The processor to the controller without undue delay

The UK GDPR also carries a substantial fine for controllers and processors which experience personal data breaches – the greater of £8.7M (€10m) or (for undertakings) 2% of total worldwide annual turnover. In addition, affected individual(s) will be able to pursue the controller and/or the processor for compensation (which is not financially capped) if they suffer any material or non-material damage as a result of a personal data breach. Both the controller and processor will be liable unless they can prove that they were not in any way responsible for the damage suffered by the affected individual(s). See What are the fines for infringement.

In respect of the EEA, the European Data Protection Board has endorsed guidelines adopted by its predecessor, the Article 29 Working Party, on how to deal with notifications of personal data breaches. Here are some key highlights/takeaways endorsed by the ICO for the purposes of the UK:

  1. When notifying a breach to a supervisory authority (e.g., the ICO), the controller can obtain advice from the ICO on whether it needs to also notify the individuals affected by the personal data breach. However, if it is obvious to the controller that, due to the nature of the breach and the severity of the risk, it needs to notify the affected individuals (e.g. there is an immediate threat of identity theft) in exceptional circumstances, notification to the individuals may take place before notification is given to the ICO. The controller can also get advice from the ICO on the appropriate communications to be sent to, and the most appropriate way to contact, affected individuals.
  2. As noted above, personal data must be processed in a manner that ensures it is kept secure, including protection against “unauthorised or unlawful processing and against accidental loss, destruction or damage”. Meanings have been given to the following terms (i) Unauthorised or unlawful processing – this could include disclosure of data to (or access by) recipients who are not authorised to receive (or access) the data, or any other form of processing which violates the UK GDPR; (ii) Loss – the data may still exist, but the controller has lost control or access to it, or no longer has it in its possession; (iii) Destruction – the data no longer exists, or no longer exists in a form that is of any use to the controller; and (iv) Damage – personal data has been altered, corrupted, or is no longer complete.
  3. A personal data breach can e categorised as one, or a combination, of (i) a confidentiality breach – where there is an unauthorised or accidental disclosure of, or access to, personal data; (ii) an availability breach – where there is an accidental or unauthorised loss of access to, or destruction of, personal data; or (iii) an integrity breach – where there is an unauthorised or accidental alteration of personal data. A breach of confidentiality or integrity may be relatively clear, but an availability breach may not. A breach will always be regarded as an availability breach when there has been a permanent loss of, or destruction of, personal data.
  4. In relation to whether a temporary loss of availability (e.g. a business has a power failure or suffers denial of service attack) amounts to a personal data breach and needs to be notified will depend on (i) the circumstances of the loss of availability; (ii) whether the lack of availability of personal data is likely to result in a risk to the affected individuals and (iii) whether the controller has implemented technical and organisational measures to ensure a level of security appropriate to the risk, considering, amongst other things, “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services” and “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”. A temporary loss of availability to critical medical data about patients could present a risk to individuals’ rights and freedoms if, e.g. operations are cancelled. But if a company’s systems are unavailable for several minutes (e.g. due to a power outage) and customers are unable to call the controller and access their records, this is unlikely to present a risk to individuals’ rights and freedoms (but it is still a recordable incident).
  5. Loss of availability might be only temporary and may not have an impact on individuals, but the fact that there has been a network intrusion could still constitute a potential confidentiality breach and thus notification to the ICO may still be required.
  6. Failure to notify a personal breach could reveal either an absence of existing security measures or an inadequacy of the existing security measures. In that case, the ICO will also have the possibility to issue sanctions for failure to notify or communicate the breach on the one hand, and absence of (adequate) security measures on the other hand, as they are two separate infringements.
  7. The UK GDPR requires controllers to notify a personal data breach to the ICO without undue delay and, where feasible, not later than 72 hours after having become aware of it. A controller will become “aware” when it “has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised … In some cases, it will be relatively clear from the outset …, whereas in others, it may take some time to establish if personal data have been compromised. However, the emphasis should be on prompt action to investigate an incident to determine whether personal data have indeed been breached, and if so, to take remedial action and notify if required”. There is no penalty for reporting an incident that ultimately transpires not to be a personal data breach.
  8. When the controller becomes aware, it may “undertake a short period of investigation in order to establish whether or not a breach has in fact occurred. During this period of investigation, the controller may not be regarded as being “aware”. However, it is expected that the initial investigation should begin as soon as possible and establish with a reasonable degree of certainty whether a breach has taken place, and the possible consequences for individuals; a more detailed investigation can then follow”.
  9. If a controller uses a processor and the processor becomes aware of a personal data breach, the processor must notify the controller without undue delay. Therefore, the controller will be considered “aware” once the processor has informed it of the breach. It is therefore vital to ensure that the written contract between the controller and processor clearly sets out the processors obligations in the event of a personal data breach, including how it goes about notifying the controller and what assistance and information it will provide to the controller (and when).
  10. Processors who experience a personal data breach do not need to assess the likelihood of risks arising before notifying the controller – that is the controllers responsibility. The processor merely needs to establish that a breach has occurred and then inform the controller.
  11. As the UK GDPR only requires a processor to notify without undue delay, the EDPB recommends prompt notification by the processor to the controller, with further information about the breach provided in phases as information becomes available. This will ensure the controller is able to meet its notification requirement of 72 hours to the ICO.
  12. A controller could become aware of a personal data breach and, whilst beginning its investigation, and before notification, identify further similar breaches, which have different causes. Depending on the circumstances, it may take the controller a little time to establish the extent of the breaches and, rather than notify each breach individually, the controller may decide to do one notification that represents several very similar breaches, with possible different causes. This could lead to notification to the ICO being delayed by more than 72 hours after the controller first becomes aware of these breaches. Each individual breach in this scenario is in fact a reportable incident. However, to avoid being overly burdensome, the controller may be able to submit a “bundled” notification representing all these breaches, if they concern the same type of personal data breached in the same way, over a relatively short space of time. If a series of breaches take place that relate to different types of personal data, breached in different ways, then notification should proceed in the normal way.
  13. The threshold for communicating a personal data breach to individuals is higher than for notifying the ICO and not all breaches will therefore be required to be communicated to individuals. A non-exhaustive list of examples of when a breach may be likely to result in high risk to individuals.
  14. Communication of a personal data breach must be made “without undue delay” which means as soon as possible. This is different to the interpretation of the same term for processors to notify controllers (see above) because the main objective of notification to individuals is to provide specific information about steps they should take to protect themselves from any negative consequences of the breach. A higher threshold for notifying individuals is intended to protect them from “unnecessary notification fatigue”.
  15. The personal data breach must be communicated to the affected individuals directly, unless doing so would involve a disproportionate effort. In such a case, a public communication or similar measure can be used. Dedicated messages should be used when communicating a personal data breach to the affected individuals and they shouldn’t be sent with other information (e.g. regular updates, newsletters or standard messages). The communication must be clear and transparent. Transparent communication could include direct messaging (e.g. email and SMS), prominent website banners, postal communications and prominent advertisements in print media. A notification solely confined within a press release or corporate blog isn’t a transparent communication.
  16. A controller shouldn’t communicate a personal data breach using a contact channel compromised by the breach as that communication channel could also be used by attackers impersonating the controller.
  17. A high risk will exist if the personal data breach might lead to physical, material or non-material damage for the affected individuals (e.g. discrimination, identity theft or fraud, financial loss and damage to reputation). Where personal data reveals “racial or ethnic origin, political opinion, religion or philosophical beliefs, or trade union membership, or includes genetic data, data concerning health or data concerning sex life, or criminal convictions and offences or related security measures, such damage should be considered likely to occur”.
  18. Notification is not required if the following 3 conditions are met (i) “The controller has applied appropriate technical and organisational measures to protect personal data prior to the breach, in particular those measures that render personal data unintelligible to any person who is not authorised to access it. This could, for example, include protecting personal data with state-of-the-art encryption (ii) Immediately following a breach, the controller has taken steps to ensure that the high risk posed to individuals’ rights and freedoms is no longer likely to materialise. For example, depending on the circumstances of the case, the controller may have immediately identified and acted against the individual who has accessed personal data before they were able to do anything with it. Due regard still needs to be given to the possible consequences of any breach of confidentiality, again, depending on the nature of the data concerned (iii) It would involve disproportionate effort to contact individuals, perhaps where their contact details have been lost because of the breach or are not known in the first place. For example, the warehouse of a statistical office has flooded and the documents containing personal data were stored only in paper form. Instead, the controller must make a public communication or take a similar measure, whereby the individuals are informed in an equally effective manner. In the case of disproportionate effort, technical arrangements could also be envisaged to make information about the breach available on demand, which could prove useful to those individuals who may be affected by a breach, but the controller cannot otherwise contact”. 

What should businesses do?

It is inevitable that all businesses will suffer personal data breaches. Businesses need to ensure that they have data breach response plans in place. These should be regularly stress-tested and updated, and assigned personnel given regular training.

If you would like any further information or advice on personal data breaches, or the UK GDPR generally, please contact us.

Disclaimer: This article is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.