As mentioned in our previous GDPR update, the ninth update in this series will deal with the topic of mandatory breach notifications from an employment law perspective under the GDPR.
The GDPR introduces new notifications requirements in respect of data breaches. It would be helpful, in the first instance, to examine exactly what is a data breach:
“A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.
Employers should be cognisant of two main types of data breaches. The first type is an external ‘hacker’ breaking into a company’s IT systems and accessing or removing information. Employers should of course be wary of this type of data breach and ensure appropriate technical and security measures are in place to prevent such occurrences.
The second type of data breach is much more common however and particularly in the employment context. This is when information is accidently lost (eg, an employee leaves a hard copy file on a train or a laptop in a café) or where information is sent to the wrong address (eg, an employee posts confidential details to the incorrect address). Staff training and awareness can often help reduce these types of breaches.
It is also important to remember that a data breach can occur internally within an organisation. A practical example would be a manager transferring confidential personal data (eg, medical or HR data relating to employees) from one department to another department. The manager intends the information in question to be viewed only by a senior director. The manager however uses a shared drive to save and transfer the data. The use of the shared drive results in all the employees of the business being able to see the information (due to there being no access restrictions in place on the shared drive). This would amount to a data breach if the personal data is viewed by employees that should not have access to the information.
From 25 May 2018, as soon as an employer becomes aware that a personal data breach has occurred, they must notify it to the DPC “without undue delay” and, where feasible, not later than 72 hours after having become aware of the breach. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification. Information may however be provided in phases to the DPC as the extent of the breach becomes clearer or more information is discovered about the breach.
There is one exception to the notification requirement. If the employer is able to show that the personal data breach is “unlikely to result in a risk to the rights and freedoms” of the affected data subjects, then the data breach does not have to be notified to the DPC. Take for instance a situation where an employee loses a hard drive containing personal data but the hard drive is encrypted. The fact that the hard drive has been lost means it is a “data breach”. Due to the hard drive being encrypted however, it is very unlikely anyone will be able to access the personal data. As a result, it is unlikely to affect the data subjects whose information was contained on the drive. An employer in that scenario therefore may not have to notify the data breach.
It should be kept in mind that if an employer determines that a breach does not pose a risk to data subjects, the DPC may override that decision. It is important for the employer to be in a position to demonstrate their reasoning in reaching that determination. In this regard, an employer must keep a record of every data breach that occurs, regardless of whether or not the breach is one that must be notified to the DPC. The record should detail the facts relating to the breach, its effects and any remedial action taken by the employer.
The GDPR also introduces additional mandatory notification requirements in the case of a data breach that is likely to result in “high risk” to data subjects. When there is a high risk to data subjects, not only must an employer notify the DPC but they must also directly notify the data subjects concerned. If there are a large number of data subjects involved, this may result in an employer having to make a public press release to communicate details of the data breach. The reputational damage surrounding a breach therefore can be as, if not more, significant for employers than an administrative fine.
The new notification requirements under the GDPR are noteworthy, particularly given how easy it can be for a data breach to occur. We recommend that employers start planning for future data breaches now. This is because it is not a matter of if a data breach will occur but when a data breach will occur. Internal systems and procedures should be reviewed and staff training introduced where possible. We suggest that employers prepare and implement a Data Breach Response Plan so that they can act quickly to contain and mitigate data breaches when they arise. From an employment perspective, HR policies should make it clear that repeated, deliberate or reckless data breaches may be considered a serious disciplinary issue and can lead to a sanction up to and including dismissal.
Given the potential for large fines and liabilities under the GDPR, which will be set out in our next update, employers should ensure to have the proper processes and policies in place to deal with data breaches and the mandatory notification requirements that relate to such breaches.
If you are interested in further detail on the HR aspects of the GDPR, you can access a panel discussion on this from the Matheson Employment Law Podcast series.