In the run-up to the EU General Data Protection Regulation (GDPR), we’ve been running a webinar series covering various aspects of the Regulation. At the end of each webinar, our presenter answers your questions, and given that the same questions appear often, we thought it would be helpful to list some of them, along with the answers, on our blog.
Q: Who do you report data breaches to?
A: A breach that threatens individuals’ rights and freedoms must be reported to your supervisory authority. When that threat is substantial, you also need to notify your data subjects.
Data processors that experience a breach need to notify their controller without undue delay. The controller must then notify the supervisory authority and data subjects as necessary.
Q: Is it still considered a breach even if no data is taken (such as with ransomware)?
A: Yes. A data breach includes both the theft of data and any breach that leads to the unauthorised destruction, loss, alteration, disclosure of or access to personal data.
Q: Does a breach of test data (randomised proper data) need to be reported?
A: If the test data includes information that would allow a natural person to be identified, then it’s within the scope of the GDPR. The same applies to breaches of the security surrounding that data, or to test data that was used without the data subject’s permission.
Q: Are there any guidelines regarding how, or by which medium, I should notify data subjects of a breach?
A: The GDPR does not prescribe the way in which you must produce breach notifications. It’s up to each organisation to develop its own internal policies governing how communications should be issued to data subjects in response to security breaches.
However, when notifying data subjects of a breach, it’s imperative to include the following information in clear and plain language:
- The nature of the breach;
- The name and contact details of the relevant data protection officer (DPO);
- The likely consequences of the breach; and
- The measures that have been taken or proposed to address the breach.
In situations where more than one person’s personal data has been breached, a public notice may be an appropriate means of notification.
Q: Are organisations really expected to report every single breach, regardless of how minor it is?
A: Data breaches only need to be reported to the supervisory authority when they are likely to pose a risk to the rights and freedoms of natural living persons.
Q: How can the 72-hour window to report a breach be enforced?
A: Failure to submit a notification of a breach that poses a high risk to the rights and freedoms of EU residents will result in strict disciplinary action. This could include fines of up to €20 million or 4% of annual global turnover – whichever is greater. Article 83 of the Regulation states that the manner in which the supervisory authority becomes aware of the breach will factor into the disciplinary action imposed. In other words, any organisation that doesn’t notify its supervisory authority of a data breach is likely to attract stricter disciplinary action.
In itself, this doesn’t answer the question of how authorities will make sure a breach is reported within 72 hours of its discovery. However, it’s reasonable to think that the huge financial penalties will surely impel organisations to comply with the requirements.
Q: When it comes to reporting incidents under the GDPR, do you know if there will be a set of criteria to score incidents and decide what should be reported and what can be dealt with locally?
A: Any breach that could result in a risk to the rights and freedoms of natural persons will certainly have to be reported to the authorities and assessed on a case-by-case basis. The Information Commissioner’s Office (ICO) provides the following example: a supervisory authority would need to be notified about a loss of customer details where the breach leaves individuals open to identity theft. However, the loss or inappropriate alteration of a staff telephone list would not normally meet the threshold to trigger the notification requirement.
Prepare for the GDPR
Organisations preparing for the GDPR will probably have a team of compliance practitioners putting in place the appropriate measures. However, it’s equally important that anyone who handles personal data is aware of their obligations and the answers to the questions listed here.
Staff awareness training is an essential part of GDPR compliance, but it can be tricky putting together a comprehensive programme that addresses everything employees need to know. That’s why many people use our GDPR Staff Awareness E-learning Course.
This online course provides a thorough overview of the GDPR, explaining the Regulation’s principles and requirements. It uses simple, clear terms, so it’s ideal for anyone whose job involves handling personal data.