Data breach management and the new EU data protection regulation.
In the UK there is currently no legal obligation under the Data Protection Act 1998 (DPA) to report personal data breaches to anyone. However, the Information Commissioner’s Office (ICO) guidance recommends that serious breaches should be brought to its attention.
Last year telecoms company TalkTalk was the subject of a cyber-attack in which almost 157,000 customers’ personal details were hacked. The company was criticised for its slow response, especially the time it took to inform the ICO and customers.
The new EU General Data Protection Regulation contains an obligation on data controllers to notify supervisory authorities of personal data breaches. In some cases this extends to the data subjects as well. This will have a big impact on data controllers in both the public and private sectors. The regulation will replace all data protection legislation in EU member states (including the UK’s DPA) without the need for further national legislation.
Article 4 of the regulation defines a personal data breach as: ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.’
Article 31 of the regulation states that as the data controller becomes aware that a personal data breach has occurred they should, without undue delay and, where feasible, not later than 72 hours after becoming aware of it, notify the personal data breach to the competent supervisory authority (the ICO in the UK).
There is no need to do this where the controller is able to demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals – for example, a very minor data breach involving innocuous information about a few people. Where the 72-hour deadline cannot be achieved, an explanation of the reasons for the delay should accompany the notification.
The notification must contain the following minimum information:
- a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects and data records concerned;
- the name and contact details of the controller’s data protection officer (now a statutory position) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where it is not possible to provide the above information at the same time, the information may be provided in phases without undue further delay.
The new regulation will require all personal data breaches, no matter how insignificant, to be documented by data controllers. This should include the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with article 31. Some, if not all of it, will also be accessible via freedom of information requests, as many local authorities have already found.
Article 32 of the new regulation states that data subjects should be notified without undue delay if the personal data breach is likely to result in a high risk to their rights and freedoms (for example, fraud or identity theft), in order to allow them to take the necessary precautions. The notification will be similar to the one made to the supervisory authority. It should describe, in clear and plain language, the nature of the personal data breach as well as recommendations for the individuals concerned to mitigate potential adverse effects.
Notifications to individuals should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities. For example, the need to mitigate an immediate risk of damage would call for a prompt notification, whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
There is no need to communicate a personal data breach to individuals if:
a) the data controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption; or
b) the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialise; or
c) it would involve disproportionate effort. In such a case, there will instead have to be a public communication (for example, a press release) or similar measure whereby the data subjects are informed in an equally effective manner.
Even where a data controller has chosen not to inform data subjects, the supervisory authority can instruct it to do so. No doubt there will be more detailed rules setting out what kinds of breach require notification and to whom.
Currently the ICO can issue fines (monetary penalty notices) of up to £500,000 for serious breaches of the DPA. When the regulation comes into force, this will be increased to 4% of global annual turnover for the preceding year (for businesses) or €20m.
The regulation contains a right to civil damages, as under section 13 of the DPA. Article 77 of the regulation states: ‘Any person who has suffered material or immaterial damage as a result of an infringement of the regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’
This may see more data subjects take legal action against data controllers for data breaches. There may even be more class actions like the one against the London borough of Islington in 2013, when 14 individuals settled for £43,000 in compensation after personal data was disclosed without their authority. This action followed an ICO investigation which resulted in the council being fined £70,000 under the DPA.
The Network and Information Security Directive will also have a big impact on some UK business. It will impose new network and information security requirements on operators of essential services and digital service providers. These include banks, energy companies, healthcare providers and cloud services. Their obligations will include a requirement to report certain security incidents to competent authorities or computer security incident response teams (to be established by each member state).
The directive will be formally adopted this spring, leaving the UK and other member states two years to bring in national laws to implement it.
All organisations should be examining their approach to data breaches now and be putting into place processes to comply with the new rules.
Ibrahim Hasan is a solicitor and director of Act Now Training