In the event of a personal data breach, organisations face critical responsibilities regarding notification procedures. Primarily, there is a legal obligation under the UK General Data Protection Regulation (GDPR) to inform the Information Commissioner's Office (ICO) of a personal data breach under specific circumstances. Additionally, in cases where the breach is likely to result in a high risk to the rights and freedoms of individuals, organisations must also notify the affected data subjects. Both of these notification processes are crucial steps in maintaining data protection legal compliance, mitigating risks, and upholding the rights of individuals to be informed.

In this second article in our 'data and cyber school' series, we provide a clear overview of notification procedures, guiding organisations through their obligations to both the ICO and data subjects alike, thereby ensuring transparency, regulatory compliance and responsible data handling practices.

What is a personal data breach?

Personal data is any information that identifies an individual, while 'special category' data is 'sensitive personal data', such as data relating to an individual's political opinion or religious beliefs. Personal data and special category data are protected under the UK GDPR.

A personal data breach occurs where there is any "accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data".

How long do you have to report a data breach?

If a personal data breach is notifiable to the ICO, the controller must make the notification within 72 hours of becoming aware of the breach. Failure to do so, either at all or on time, might cost you significant fines, or even result in sanctions against your organisation.

So, how do you know if a personal data breach is notifiable by your organisation and what should you do if it is? Your organisation needs to establish:

  1. whether it is the controller of the data in question; and, if it is,
  2. whether there is a risk of harm to the individuals' rights and freedoms, as a result of the data breach.

A personal data breach can harm individuals in several ways, for example: damage to reputation, loss of confidentiality, identity theft or fraud and loss of control over data (causing distress or other issues).

If there is a risk of harm to the individuals whose data has been the subject of a data breach, then the controller must notify the ICO. The notification must be made within 72 hours of the controller becoming aware of it. Remember, the weekend counts!

A data controller becomes aware of a data breach when they have a reasonable degree of certainty that a security incident has occurred and led to personal data being compromised.

It's important to note that while processors do not have direct obligations to notify the ICO/data subjects under the UK GDPR, they are required to notify the controller without undue delay on becoming aware of a data breach impacting the controller's data. You may also have notification obligations in your contracts with third parties that will need to be complied with.

Managing data breaches – lessons learnt

  1. Do not panic…

    This is easier said than done, especially if not all of the information pertaining to the breach is available. When notifying the ICO, you are required to describe the nature of the breach, provide a contact name (and the details of the Data Protection Officer, if you have one), the likely consequences of the breach and the measures that are being taken or proposed to remedy the situation. Precise information, such as the number of data subjects at risk or the number of data records breached, might not be available from the outset. If you know that there is a risk of harm to the rights and freedoms of individuals (such that the threshold for notification to the ICO is met), then notify the ICO as soon as possible and provide the information that you do have. It is better to do a preliminary notification and then update the ICO as the investigation progresses, than to wait for more information and delay the notification.

  2. That being said… record everything!

    Not all breaches are notifiable; some do not pose a risk to individuals. Your business will be required to justify why it did not notify the ICO, so written records in this respect are crucial. The UK GDPR requires an organisation to document the facts, detailing the effects of a breach and any action taken to resolve it. We suggest that this is documented in a breach log (or other similar record) and that you keep in mind that these records may be disclosable in litigation and/or a regulatory investigation.

  3. Act quickly and proportionately

    The ICO should only be notified where there is a risk to the rights and freedoms of individuals. The ICO does not want to be notified of every single personal data breach – just the ones that meet the notification threshold. The ICO publishes a list of organisations that notify it of a data breach. If you make a notification unnecessarily, your business name will still appear on that list.

  4. Draft the notification carefully

    Notifications can be disclosable in litigation and/or a regulatory investigation. Where a notification is made to the ICO because there is risk of harm to individuals, then there is also a risk of legal action and regulatory investigation. Any of the individual data subjects, to whom the personal data belongs, may bring a claim against your organisation for damages and the notification itself will help to inform the ICO as to whether regulatory action is required. Therefore, it is important to draft any notification to the ICO accurately and strategically. If you are worried about the content of the notification, seek legal advice from the outset.

  5. Be responsive and make the effort

It is important that your business cooperates fully with the ICO. Even after the notification, the ICO may ask further questions in order to inform the decision as to whether to close or progress the investigation. This is an opportunity to show the ICO the technical and organisational measures your organisation has in place to prevent a personal data breach and what has been done since to make sure that such an incident does not reoccur. If the business takes this process seriously and invests time and effort (including from your IT team) in demonstrating to the ICO that you take personal data protection seriously, then this may help to reassure the ICO and avoid further regulatory action.

Notifying data subjects

The required threshold for notifying the individuals whose personal data has been breached is higher than that for notification to the ICO. The individuals affected must be informed "without undue delay" where the breach is likely to result in a "high risk" to their rights and freedoms. Both the severity of the actual and potential harm must be assessed from the outset. If the likelihood of harm to individuals is more severe, then the "high risk" threshold is met.

However, the ICO has warned controllers to be wary of notification fatigue. Alerting data subjects unnecessarily (when the threshold for notification has not been met) is likely to lead to a situation where data subjects "tune out" and ignore notifications in situations where they are in fact at high risk of harm. This is important because notifications should call upon them to take action to mitigate the harm they might face as a result of the breach.

In particular, there is no need to notify in circumstances where:

  • the data was subject to encryption or other technical controls that rendered it inaccessible;
  • post-breach action resolved the matter, so the "high risk" threshold was not met; this is common where a hacker makes data inaccessible by encrypting it, but an organisation is quickly able to retrieve it from a back-up data file; and
  • there are so many individuals, it would be disproportionate to notify each one individually. In these cases, the use of a notification across the organisation's website (or other public means, like a member portal) might be sufficient.

How will you respond to a data breach?

While prevention is always better than cure, if you find yourself facing a data breach it's important that you have the policies and procedures in place to respond to it effectively. A key first step is understanding the nature of the breach, who is affected and whether the threshold for notifying the ICO is triggered. This initial assessment will then guide your next steps; but either way, it is crucial to be responsive, record the actions taken, make every effort to co-operate with the ICO and to be mindful that time is of the essence.

Remember, there are set timescales for making a data breach notification in order to fulfil legal requirements, but also to manage the potential impact on those affected by the data breach and on your organisation and other stakeholders.

If you are unsure about whether to make a notification, be that to the ICO, the impacted data subjects or the data controller (if you are a processor), it is important to seek legal advice early. Our Data Protection and Cyber Security team are highly experienced in helping organisation from a wide range of sectors and circumstances respond and manage the effects of a data breach. Their experts are able to advise on all aspects of a personal data breach response, including:

  • consideration of whether the personal data breach has met the threshold for a notification to the ICO;
  • documenting a decision not to notify the ICO;
  • Completing the ICO notification form with a view to reassuring the ICO and with future disclosure in mind;
  • responding to further questions from the ICO and dealing with a regulatory investigation;
  • consideration of whether the personal data breach has met the threshold for a notification to the data subjects;
  • making the notification to the data subjects and further correspondence with the data subjects; and
  • notifying a data controller pursuant to the UK GDPR and any contractual requirements.

To discuss any of the points here with one of our team and find out how you can be better prepared to respond to a potential future personal data breach, please contact Amber Strickland or Saha Dehsheykhi.

For more insight into data and cyber fundamentals as part of our 'data and cyber school' series, you can also sign-up to our mailing list.