Notification of Personal Data Breaches
16 August 2017
Under the current Data Protection regulations, there is no legal obligation on data controllers to report personal data breaches (however the Information Commissioner does advise that he believes serious breaches should be brought to the attention of the Information Commissioner’s Office). This position is set to change with the introduction of the General Data Protection Regulation in May 2018, which will introduce a duty on all organisations to report certain types of data breaches to the relevant supervisory authority, as well as to the individuals affected by the data breach in certain circumstances.
What is a personal data breach?
A personal data breach is defined as a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach relates to more than just the loss of personal data.
The particular types of breaches which should be notified to the relevant supervisory authority are breaches which are likely to result in a risk to the rights and the freedoms of individuals and where, if unaddressed, are likely to have a significantly detrimental effect on individuals affected by the data breach (such detrimental effects to include, for example, loss to reputation, financial loss and loss of confidentiality).
Individuals should be notified about a personal data breach in circumstances where the breach is likely to result in a high risk to the rights and the freedoms of the individual. A “high risk” indicates that the threshold for when an individual must be notified of a data breach is higher than for when the relevant supervisory authority should be notified.
What should the notification contain?
The notification of the personal data breach should contain, inter alia, the following information:
- the nature of the personal data breach (including the categories and approximate numbers of individuals/data records concerned);
- the name and contact details of the organisations data protection officer;
- a description of the potential consequences of the data breach; and
- a description of the measures taken/to be taken to deal with the data breach.
When to notify a data breach
A personal data breach should be notified to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. It is acknowledged that a personal data breach cannot always be fully investigated within this time frame, but the breach should still be notified within 72 hours with further information being provided on a phased basis.
If the breach is of a kind which should be notified to the individuals affected by it, then the organisation must notify the breach without undue delay.
Failure to notify a breach when required to do so can result in fines of up to 10 million euros or 2% of an organisation’s global turnover.
Should you have any queries relating to the above, or in relation to any other aspect of the new General Data Protection Regulations which will come into force in May 2018, please don’t hesitate to contact Aaron Roddy, or any other member of Carson McDowell’s dedicated Information Law team.