Context

This article outlines a GDPR personal data breach procedure dealing with the assessment steps toward reporting a breach to a Supervisory Authority under the European Union General Data Protection Regulation (GDPR).

The GDPR personal data breach procedure described in this article only applies to Controllers. Processors should understand the process, but if a personal data incident occurs, they must inform the Controller, who is accountable for managing it from start to finish.

Purpose of this document

This document provides a practical and systematic GDPR personal data breach procedure that deals with personal data incidents that may be assessed as reportable breaches. From this point forward, we will refer to a suspected personal data breach as a “personal data incident”.

Terminology

  1. Controller: the entity that determines the purposes, conditions and means of personal data processing
  2. Processor: an entity that processes personal data on behalf of the Controller under explicit instructions given by the Controller
  3. Supervisory Authority: An EU country’s independent public authority established to ensure data protection compliance
  4. DPO: Data Protection Officer, a named and accountable person in your organisation
  5. Personal data incident: an event where there is a possibility that personal data was compromised
  6. Reportable breach: a personal data incident that is assessed to have compromised personal data and has or may result in physical, material or non-material damage to the individual(s) impacted by the personal data incident
  7. Pseudonymisation: rendering personal data to a state where it is no longer attributable to a specific individual without the use of additional information
  8. Article: A section in the GDPR containing regulatory requirements
  9. Recital: Additional descriptive text that accompanies an Article

NOTE: Controller is a GDPR term. The default position for all organisations is Controller for data protection laws that do not differentiate between a Controller and a Processor. The Controller is accountable under the relevant data protection law.

What the scaremongers say

Some Supervisory Authorities have commented that there is a considerable amount of scaremongering about what is meant by a reportable personal data breach:

  1. All personal data incidents must be reported to the Supervisory Authority
  2. All personal data incidents must be reported to all individuals affected by the incident
  3. All personal data incident details must be known immediately
  4. There are huge fines for failing to report a personal data incident immediately
  5. The Supervisory Authorities will use breach reporting as a way to punish organisations

None of the above is true.

Let’s read what the GDPR says in Article 33.1

Article 33.1 “In the case of a personal data breach, the Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

Fact versus fiction

Depending on the circumstances of a personal data incident:

  1. it may or not be necessary to notify the Supervisory Authority
  2. It may or not be required to notify the affected individuals
  3. If notification is required, there is a 72-hour window to address the incident
  4. An extension beyond the initial 72-hour window is allowed providing the Supervisory Authority receives a coherent justification

Approach your personal data incident with a level head

If you panic, you’ll make mistakes and make things worse.

Here is a suggested GDPR personal data breach procedure for you to follow to help you keep your cool when dealing with a personal data incident.

NOTE: THE 72-HOUR CLOCK DOES NOT START IMMEDIATELY

Personal data incident resolution steps

1. You are made aware of a personal data incident

All personal data incidents (suspected or real) should immediately be reported to your Data Protection Officer (or equivalent). This must be done as soon as possible.

When personal data incidents are reported, we recommend not using the word “breach” and always refer to the event as a “personal data incident”. This is because not all personal data incidents become reportable breaches. This may seem like splitting hairs, but it is essential to differentiate the two events.

Employing automated monitoring measures and encouraging staff members to escalate personal data incidents caused by human error (e.g. emailing personal data to the wrong person) should help manage personal data incidents before they get out of control.

If a personal data incident goes undetected by your internal channels and is exposed by a complaint lodged with your Supervisory Authority by an individual, the consequences may be severe.

2. Assessment

Before starting any assessment, your DPO must determine which process originated the personal data incident and whether your organisation is acting as a Controller or a Processor.

If your organisation is a Processor, your DPO should immediately inform the Controller of the process about the personal data incident. The Controller will then manage the personal data incident from start to finish. The Controller may ask for further assistance, and you must provide it if requested.

If your organisation is the Controller, you are responsible for managing the personal data incident from start to finish, as suggested below.

All personal data incidents should first be assessed to determine if personal data has been compromised.

The Data Protection Officer (or equivalent) should perform the assessment. In addition, the assessment should involve any staff member that the Data Protection Officer (or equivalent) sees fit to question, for example, information security, the business process owner where the personal data incident happened, internal or external legal counsel, the person who reported the personal data incident, etc.

3. The personal data incident did not compromise personal data

If the assessment concludes that the personal data incident is a false positive and no personal data was compromised, breathe a sigh of relief and log the personal data incident as closed along with a description of the action taken.

4. Personal data was compromised but is there a risk?

If personal data was compromised, the first question to ask is:

Is the personal data incident “likely to result in a risk to the rights and freedoms of natural persons?”

An illustration of these risks is shown in recital 85.

“physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”

Depending on the complexity of the personal data incident, the rule interpretation may need input from legal counsel. For example, a package is sent with an address label of “Dave Smith”, but the contents of the package are for “Andrea Jones”, and there is also a packing list with her name and address inside the box. Mr Smith informs you of the delivery error and returns the entire contents of the package. Has there been a breach according to the terms stated above? Probably not because the personal data of “Andrea Jones” was compromised, but no damage has been done. A data incident exposing credit card data that is then used fraudulently causes damage, therefore, is reportable. The concept of damage drives whether a personal data incident is or is not a reportable breach.

If the answer is no damage was done nor is likely to be done, there is no risk. Breathe a sigh of relief and log the personal data incident as closed, along with a description of the action taken.

If the answer is that damage was done or is likely to be done, there is a risk, and you must treat the incident as a reportable breach. The 72-hour clock starts ticking. It is highly recommended that you report the breach within the 72-hour deadline. The 72-hour deadline does not make any special allowances for weekends or holidays.

If it is not feasible to notify within 72 hours, the notification must still be made along with additional information stating the reasons for the delay.

5. The 72-hour notification countdown tasks

  1. The DPO escalates the breach to the Executive.
  2. The DPO and impacted business areas and support units work together to understand the extent and scale of the breach and prepare the necessary content for the breach notification that must be sent to the Supervisory Authority and (if the breach is severe) create notifications to be sent to the affected individuals.
  3. The DPO works with public relations and legal and regulatory staff to determine if any legal action is necessary.
  4. The DPO finalises the notification for the Supervisory Authority (see section Creating the notification for the Supervisory Authority).
  5. Optional: The DPO finalises the notification for affected individuals (see section Creating the notification for individuals).
  6. Final review with key stakeholders regarding the notification releases.
  7. The notification is sent to the Supervisory Authority and if applicable, your 72-hour window extension explanation.
  8. Optional: The notification is sent to individuals.
  9. 72-hour clock stops.
  10. Close the personal data incident with a description of the investigation’s outcome and all remedial work to be done.
  11. Optional: The DPO and public relations release relevant statements to the media.
  12. Optional: Legal action commences.
  13. Start remedial work.
  14. Await the Supervisory Authority’s response.

The following is not recommended, but it is allowed. You may need more than 72 hours before sending the notifications. If so, you may do so as long as you send the reasons for the delay to the Supervisory Authority along with the notification.

The response from the final point may be that the Supervisory Authority orders you to send a notification to individuals. If so, see the Creating the notification for individuals section. You may also get inspected and face further action from the Supervisory Authority.

6. Creating the notification for the Supervisory Authority

The notification to the Supervisory Authority should contain:

  1. A description of the nature of the personal data breach, including (where possible):
    • the categories of data subjects concerned
    • the approximate number of data subjects concerned
    • the categories of personal data records concerned
    • the approximate number of personal data records concerned
  2. The name and contact details of the DPO (or equivalent)
  3. The likely consequences of the breach
  4. Measures proposed or taken by the Controller to address the breach, including, where appropriate, measures to mitigate possible adverse effects.

Once complete, the breach notification is sent to the Supervisory Authority.

7. Creating the notification for individuals

If a breach is likely to result in a high risk to an individual’s personal data, the breach must be communicated to the affected individuals unless:

  1. The breached data was in an unreadable format.
  2. The breached data has been neutralised.
  3. Sending the notification to individuals requires disproportionate effort.

If point 3 is invoked, a public communication or something similar is issued to inform all affected individuals.

The notification to individuals should contain:

  1. A description, using clear and plain language, of the nature of the personal data breach, including (where possible):
    • the categories of data subjects concerned
    • the approximate number of data subjects concerned
    • the categories of personal data records concerned
    • the approximate number of personal data records concerned
  2. The name and contact details of the DPO (or equivalent)
  3. The likely consequences of the breach
  4. Measures proposed or taken by the Controller to address the breach, including, where appropriate, measures to mitigate possible adverse effects.

Once complete, the breach notification is sent to the individuals or a public statement is issued.

Learn more about data privacy. Take our CPD accredited Data Protection Officer training course.