WHAT IS A DATA BREACH AND WHAT TO DO IF YOU HAVE ONE?
A data breach occurs when the data for which your organisation is responsible suffers an incident that exposes confidential or protected information, resulting in a breach of confidentiality, availability or integrity. A personal data breach occurs where personal data are lost, destroyed, corrupted or illegitimately disclosed. It can be by physical or electronic means. Types of data breaches include personal data rendered unavailable by ransomware, sending an email with protected data to the wrong person, loss of a USB drive, or misplaced hard copy notes, for example.
WHAT TO DO IN THE EVENT OF A DATA BREACH:
Step 0: Take a deep breath, and read this document
All will be fine – you just need to focus and act quickly in accordance with this document. It is a roadmap for what to do next and in what order.
Step 1: Investigate and fact find– quickly!
In addition to containing the breach, it is imperative that the breach itself should be immediately investigated and a fact-finding exercise carried out. The purpose of the exercise is to determine:
1. What type of data has been affected. Is it personal or non-personal data? Personal data is data from which a person can be identified or is identifiable. If it is personal data, the type and nature of the personal data including whether it contains sensitive or “special category” personal data;
2. The circumstances of the data breach. When and how did it happen, and who was involved?
3. Identify the security failure.
4. What is the ease of direct or indirect identification of affected data subjects?;
Step 2: Assess the risk:
· What is the likelihood of reversal of pseudonymization or loss of confidentiality;
· What is the likelihood of identity fraud, financial loss or forms of misuse of the data – consider how could the data be used maliciously;
· What is the likelihood that the breach could result in material (financial) damage, or non-material damage (non-economic loss, i.e. pain and suffering, inconvenience and anxiety which might arise from a data rights breach), to data subjects, and the severity of same,; and
· Identify whether the breach could result in discrimination, or harm to data subjects and their fundamental rights (e.g. respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity).
For non-personal data, this is mostly an assessment of contractual risk and potential liability, as a result of the breach. Taking appropriate mitigating action as soon as possible is vital, such as early notification to your insurer.
Where there has been a personal data breach, data controllers i.e. your organization, should ensure the above assessment of risk is documented. To demonstrate compliance with their obligations, all data controllers are recommended to keep a record of how and when assessments are carried out. Failure to adequately assess risk to the affected data subjects (or failure to attempt to assess risk at all) may result in the data controller’s failure to meet their obligations under the GDPR.
Step 3 - Ascertain who you need to notify and by when
If it is impersonal data, then the first thing to do is to look at what are your obligations to the other third parties affected by this breach. It may be a customer or service provider. Check the contract or agreement governing that relationship to see what is provided for in the event of a data breach/breach of confidentiality.
For personal data, the breach may also trigger statutory notification obligations. If the personal data is contained, or is intended to be contained, in a filing system, then the GDPR applies and it is necessary to determine whether or not you are a data controller or a data processor.
Data controllers bear most responsibility in respect of the personal data. For data processors, who process data on behalf of a data controller, they should check their reporting obligations in their contract with the data controller. They must notify the controller of any personal data breach without undue delay after becoming aware of the breach. This is extremely important as it enables the controller to comply with its notification obligations which are set out below.
For Data controllers, there are two distinct primary obligations in the context of the GDPR notification regime for personal data breaches, namely:
(a) Notification of the breach to the Data Protection Commission (‘DPC’), unless the controller contemplates that the breach is unlikely to result in a risk to data subjects;
(b) Communication of the breach to data subjects, where the breach is likely to result in a high risk to data subjects.
To be considered is (i) the threshold for notification to the DPC, and (ii) the threshold for communication of a breach to affected data subjects.
The levels of risk are defined below:
The breach is unlikely to have an impact on individuals, or the impact is likely to be minimal.
The breach may have an impact on individuals, but the impact is unlikely to be substantial.
The breach may have a considerable impact on affected individuals.
The breach may have a critical, extensive or dangerous impact on affected individuals.
It is important that the controller understands that once they have been made aware of a personal data breach, a timetable is set in motion. Controllers must comply with notifying the DPC without undue delay (no later than 72 hours under the GDPR). In addition, where applicable, controllers must also communicate the data breach to the affected data subjects without undue delay.
Controllers should also ensure that they are able to demonstrate, through appropriate records and procedures, their compliance with the notification obligations, particularly the timelines for notification to the DPC.
In determining how serious you consider the breach and its potential impact to be for affected individuals, consider the nature of the breach, the cause of the breach, the type of data exposed, mitigating factors in place, and whether the personal data of vulnerable individuals has been exposed.