GDPR Help: When To Report A Data Breach

On 25th May 2018, the General Data Protection Regulation (GDPR) was introduced, heralding the biggest shake-up in privacy law for two decades.

As a business you will already have read plenty about the new regulation, so you’ll be pleased to learn we’re not going to rake over old ground. What we did think would be useful however is to provide you with a few pointers on dealing with data breaches.

If you are not sure what counts as a data breach, or what you need to do if you think one has happened, read on for some helpful FAQs.

What is a data breach?

A data breach, as defined by the Information Commissioner’s Office (ICO), is ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.’

In other words, a data breach occurs if personal data is lost, destroyed, corrupted or disclosed or if someone accesses the data or shares it without being authorised, or if access to the data is prevented, for example in the case of a ransomware attack.

Are there any examples of a data breach?

One example would be the login details of thousands of customers of an online retailer being exposed to hackers. This would contravene customer privacy rules and could lead to significant financial issues for the retailer.

Another would be private emails being made public. This would risk the reputation of the sender and the recipient of each email, as well as anyone else mentioned in the email thread.

Headline examples of organisations fined by the ICO for data breaches include Uber following a hack that exposed the names, email addresses and mobile numbers of 57 million people worldwide; Pizza Hut whose website and app were hacked, leaking personal information including the delivery addresses, emails and payment card details of an undisclosed number of customers; Yahoo whose entire 3 billion users were likely compromised in 2013, and Tesco Bank which saw 20,000 customers have money stolen from their accounts.

When does a data breach need to be reported?

Service providers such as telecoms and internet providers have their own set of rules when it comes to reporting a data breach.

For other businesses, there is only a need to inform the ICO if the breach is likely to pose a risk to the people linked to the data that has been compromised.

If a breach is deemed a major issue, then it will need to be reported. This will depend on the size – how many people affected – and the nature, i.e. the type of data that has been compromised.

When does a data breach NOT need to be reported?

Not all data is sensitive and not all of it will cause a problem if it gets out into the open. Examples include an internal staff contact list, or a marketing list of names to be targeted for a product, providing the product isn’t especially sensitive.

How to report a data breach

ICO guidance states that a data breach notification must be submitted within 24 hours of discovering the breach, providing as much detail as possible about the incident. If full details are not available within 24 hours, the report must still be made with additional information to follow within a maximum of 72 hours.

The ICO provides a breach notification form for reporting data breaches.

In addition to notifying the ICO, you will have a duty to notify all those who have been affected by the breach.

What happens if I don’t report a data breach?

Under the GDPR, failing to notify the ICO of a significant breach can incur a fine of up to 20 million Euros or 4 per cent of your global annual turnover for the previous year, whichever is higher.

If you are concerned about how GDPR could impact your business in the event of a data breach, why not contact us to learn more about how cyber risk insurance could help safeguard your interests?