If you are a keen follower of data privacy news, you might have noted that data breaches are currently occurring on a large scale. While this problem is not widespread, the concerns are real. A recent PEW study found that major data breach has affected more than 64% of Americans. Similarly, Australia also reported 63 breaches within six weeks, while a recent hack in the UK electronics store affected more than 10 million customers.
Surprisingly, even with these findings, the ICO revealed that nearly a third of every 500 data breaches reported do not satisfy the threshold to be considered a GDPR personal data breach. This causes confusion on the incidences to be reported, when to report, and the reporting process. The guide below provides insights on how to be GDPR compliant.
What is Personal Data Breach?
While any form of personal data infringement goes against employment law, most organizations don’t fully understand what should be reported to the General Data Protection Regulation. This often leads to over-reporting, especially by companies looking to maintain transparency and avoid possible legal sanctions.
According to GDPR, a data breach describes a breach in data security that leads to unlawful and accidental loss, destruction, alteration, and unauthorized access and disclosure of personal data stored, transmitted, or processed. Data breaches have varying severity, and not all forms meet this definition. Therefore, employment lawyers need to scrutinize whether the breach will likely affect the rights and freedoms of the affected person.
To determine whether you should report a breach or not, it is important to assess the case separately. Some personal data breaches not only cause inconveniences to those who depend on the data to function but also affect several individuals, leading to emotional, material, and physical damage. Note that regardless of the state of the data breach, organizations that have suffered the breach should formally document it for future reference.
Data breaches that meet the reporting threshold include;
Hackers breaching business data to steal financial information of their customers
System errors that allow customers to view private account details of other customers
If a disgruntled employee leaks payroll data of other company employees
Disclosure of patient health records to non-authorized third-parties
Data breaches that are unlikely to meet the GDPR threshold include;
A fire that razes down paper records
Loss or misplacing staff telephone lists
Accidentally erased hard drive with personal information.
When Should Data Breaches Be Reported?
Besides uncertainty surrounding what exactly should be reported, most organizations are also not sure about their roles in reporting data breaches. However, according to GDPR, companies should install suitable controls that detect personal data breaches and report them to the relevant authorities within 72 hours.
If the data breach presents a possible high risk to specific individuals, they should be notified promptly. This is to enable the affected individuals to put suitable precautions in place to prevent further damage. If notifying the individuals directly is impossible, such as situations where all the data has been lost, organizations should release a public statement.
What Information Should be Reported?
Most organizations often fail to provide all the necessary information required by the ICO when reporting breaches. While some may have genuine reasons, other organizations claim they are ill-prepared or lack the required technical expertise to provide all the details. Nonetheless, if your organization has been compromised, it is worth reading thepersonal data breach reporting form highlighting all the required information. The details include;
Cause, type, and nature of the data breach
Time the breach happened and time discovered.
Type of personal data affected by the breach
The possible impact of the breach
Estimated recovery time
While organizations might not provide such information within 72 hours in detail, ICO expects them to show that they are prioritizing the investigations and working around the clock to provide the crucial details within the timeframe provided. Organizations that can’t provide all the information immediately should inform the DPA and provide the details in stages.
Where to Report the Breach
If the nature of the personal data breach meets the GDPR criteria, affected organizations should report to relevant DPAs. The relevant DPA depends on the niche of the company. For instance, if the organization operates within one country, local DPAs should be notified. On the other hand, global organizations should report to local DPA, who will decide on how to inform other supervisory authorities.
Consequences of Failing to Report Personal Data Breach
GDPR highly cautions organizations from keeping personal data breaches a secret. To justify serious concerns, organizations risk a 2 percent global turnover or $11.3 million fine.
Without a doubt, making GDPR personal data breach notifications is daunting for most companies, with the majority taking up to 21 days to submit detailed reports. Therefore, organizations should plan ahead to ensure GDPR compliance in case of a data breach.