As part of their GDPR 12 month countdown series, the Taylor Vinters HR GDPR team look at the new data breach reporting obligations and what they mean for HR practitioners.
What is a personal data breach?
The definition is remarkably broad under the GDPR: a breach occurs if personal data (any data relating to an identified or identifiable natural person) is destroyed, lost, altered or if there is unauthorised disclosure of (or access to) personal data as a result of a breach of security.
It is therefore clear that a data breach goes beyond simply the loss of data (for example where a hard drive containing a database of your employees’ data is left on a train). It will also encompass situations such as where the lack of security controls on a company’s IT system has enabled data to be accessed by people that are not authorised to view that data.
When a company becomes aware of a personal data breach, what must it do?
Initial steps should be taken to secure the breach and undertake any remedial action to prevent further breaches of that personal data. The company should then consider whether any notifications need to be made to the Information Commissioners Office (‘ICO’) or to the individual data subjects.
Where a personal data breach is likely to result in a risk to the rights and freedoms of one or more data subjects (this could be an applicant, member of staff or other individual whose data has been breached) then the data controller must notify the ICO about the breach.
Accordingly, not all data breaches must be notified and instead, the notification obligation is only triggered when data subjects are placed at some kind of risk. It is anticipated that there will be some pan-European guidance published in due to course to help employers determine whether a particular breach should be notified to the relevant supervisory authority. However, in the meantime, employers should start to consider what type of personal data breaches it may face and what type or level of risks (for example discrimination, financial loss, or loss of confidentiality) those breaches may pose to data subjects.
What information must the company give to the ICO?
The ICO must be provided as a minimum with the following details:
- The nature of the breach, including the approximate number of individuals affected and the categories of data that have been breached;
- Contact information for the employer’s data protection officer;
- The likely consequences of the personal data breach; and
- The measures taken or proposed to be taken by the employer to address the breach.
The ICO has committed to introduce a new phone reporting service that employers can use to report breaches. This will be in addition to the ICO’s web reporting form.
How quickly must a notification to the ICO be made?
Employers must report notifiable breaches within 72 hours of becoming aware of them. The fact an employer will rarely have concluded its internal investigation into relevant matters within this initial 72 hour period, must not, however, deter the notification being made. Further, if not all of the information about the breach is available by the 72 hour deadline, then the information that is available must be provided in any case, with the remainder being provided as soon as possible thereafter.
Do affected data subjects need to be told about the breach?
When there is a ‘high risk’ to the rights and freedoms of data subjects, the affected individuals must be notified ‘without undue delay’. Again, we anticipate that guidance on what constitutes a high risk will be published in due course, to help employers determine when this additional reporting obligation will arise. Employers should also bear in mind, however, that this additional notification will not be required if:
- The employer has applied appropriate technical and organisational protection measures to the affected personal data, such as encryption or other means of making the data unintelligible to any unauthorised access; or
- Measures have been taken after the breach to ensure that the high risk to the individual’s rights and freedoms is unlikely to materialise; or
- It would involve disproportionate effort to notify individual data subjects. In this circumstance, a public announcement may be more appropriate.
What are the consequences of failure to notify a personal data breach?
Employers could face a fine of up to 10 million Euros or 2% of the organisation’s global turnover (if higher) as well as having to deal with any potential reputational damage. However, the notification obligations are not particularly onerous and provided that employers have an appropriate internal breach reporting procedure in place, then compliance should be achievable by all organisations.
What other personal data breach obligations should employers be aware of?
All companies must keep an internal data breach register. This must record certain details of all data breaches and it is vital therefore that employees are informed and trained on what a personal data breach may look like in practice and the steps they have to take to report the breach internally. The register must be available for inspection by the ICO, upon request. Keeping and maintaining the breach register is therefore a key way in which employers can demonstrate their ability to comply with the overarching principle of accountability
What should HR’s role be in connection with personal data breaches?
We recommend that as part of their GDPR planning project, HR practitioners consider the following
- It is recommended that a HR resource is designated as being the person to whom employees may direct any queries regarding personal data breaches.
- HR should have input into developing the organisation’s internal data breach reporting procedure to ensure that it makes sufficiently clear what the obligations of employees are in the event of a personal data breach.
- Once the internal breach reporting procedure is finalised, HR will have a key role in ensuring that all employees are made aware of the procedure (and any accompanying policy) and what their obligations are, should they suspect a data breach.
- Thought should be given to whether there are any measures that can be taken to foster an internal culture, in which those that report personal data breaches do not fear that they will face repercussions from reporting such a breach.
- HR will have to perform a balancing act between, on the one hand, creating an open culture, and on the other hand ensuring that employees who deliberately breach personal data obligations are dealt with in accordance with company disciplinary procedures.
- HR should specifically consider whether the technical and organisational protection measures that are currently in place to ensure the security of HR data, are adequate. For example, are there any measures that can be taken to enhance this security, such as encryption and other ways of anonymising data?