GDPR and Mandatory Breach Reporting

Article

01 November, 2017

The General Data Protection Regulation ('GDPR') will come into force in the UK from 25 May 2018. One of the changes the GDPR makes is the requirement for a personal data breach to be notified to the Information Commissioner's Office ('ICO').

Currently there is no legal obligation on most organisations to self-report personal data breaches to the ICO. However, self-reporting is currently treated as a mitigating factor by the ICO and so organisations may choose to self-report if they wish. This will change under the GDPR as it makes notification mandatory for all data controllers unless a breach is likely to result in a risk to the rights and freedoms of individuals. These breaches must be reported to the ICO within 72 hours of the data controller becoming aware of the breach.

The Article 29 Working Party has issued draft guidelines on personal data breach reporting to assist data controllers in understanding their self-reporting obligations under the GDPR. The draft guidance addresses the following points:

When does the 72 hour clock start?
The 72 hour time frame begins the moment the data controller becomes aware of the breach. This may be clear at the outset but in other cases it may take some time before it is established that there has been a breach. The draft guidance emphasises that an investigation should begin as soon as possible to establish whether or not there has been a breach.

When does a breach need to be reported?
Personal data breaches are to be reported to the ICO where the breach is likely to result in a risk to the rights and freedoms of individuals. The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals.

One example of where notification would be required is given in the draft guidance, in the context of a hospital. If critical medical data about patients are made unavailable, even temporarily, this could present a risk to individuals' rights and freedoms; for example, operations may be cancelled.

When does a breach not need to be reported?
Conversely, a personal data breach does not need to be reported to the ICO where the breach is not likely to result in a risk to the rights and freedoms of individuals. The following examples are provided in the draft guidance as situations where breaches would not need to be reported:

  • A breach involving data which is already publicly available, where there is no likely risk to individuals would not need to be notified.
  • A loss of encrypted data would not need to be reported (e.g. an encrypted laptop or mobile) provided that the key is held securely and that the encryption was operational when the device was lost. Any decision not to report due to use of encryption should be revisited if facts change (e.g. if it turns out that the key was not secure).

The draft guidance is open for consultation until the 28th November 2017. Finalised guidance will then be published in due course.

If you are looking for more information with regards to our services view our our Commercial section. You can also contact Bethany Paliga in our Commercial department on 01254 222 347 or by email. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Back

Make an enquiry