6 min read.
Home » News & Blog » How to report a data breach at your business
Following recent reports of one of the biggest data breaches to date involving a UK company, Dixons Carphone, which is now thought to affect 10 million records, our disputes and employment specialist Tim Wolley looks at what is classed as a breach and what you should do if your business discovers a breach.
What is classed as personal data?
Any information relating to a person or data subject, that can be used to directly or indirectly identify the person is affected. In addition to the usual suspects (name, picture, email address, contact number), GDPR also includes an individual’s computer IP address and mobile device identity making these protected under the bill.
Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process these in limited circumstances.
There will be circumstances where it may be difficult to determine whether data is personal data. If this is the case, as a matter of good practice, you should treat the information with care, ensure that you have a clear reason for processing the data and ensure you hold and dispose of it securely.
In the case of Dixons Carphone personal information, names, addresses and email addresses were accessed together with data from 5.9 million payments cards; although no fraud is believed to have resulted from the breach.
What is a data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
An example could be sending personal data (commonly via email) to an incorrect recipient, the loss or theft of a company laptop, memory stick or phone containing personal information, a third-party hack into your computer system or even the loss of availability or alteration without permission of personal data.
In the case of Dixons Carphone hackers had tried to gain access to one of the processing systems of Currys PC World and Dixons Travel stores. Luckily for Dixons, the incident happened before the new GDPR rules, which have much bigger fines, came into force.
What should I do if I discover a breach?
GDPR places a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority without undue delay and in any event, within 72 hours of becoming aware of the breach.
When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. This must be done on a case by case basis, looking at all relevant factors.
For example, if a breach is likely to lead to identity fraud or the individual suffering financial loss, you will need to notify the Information Commissioner’s Office.
You may also need to inform any individuals affected by the breach, depending on the severity of the potential or actual impact on them. Again, this should be assessed on a case by case basis and, if individuals need to be informed, this should be done without undue delay. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.
You should consider what processes you have in place to help to assess the likely risks to individuals in the event of a breach and to ensure that any notifications to either the ICO or affected individuals are made promptly.
All breaches should be recorded internally including the facts relating to the breach, its effects and any remedial action taken. If you decide it is not necessary to report a breach to the ICO or the individuals affected, you need to be able to justify this decision, so you should document it.
What information needs to be reported?
When reporting a breach to the ICO, the GDPR says you must provide:
- a description of the nature of the personal data breach including, where possible:
-
- the categories and approximate number of individuals concerned; and
- the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
When reporting a breach to an affected individual, you need to describe, in clear and plain language, the nature of the personal data breach and, at least:
- the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.
Organisations who don’t already have internal procedures for managing data protection breaches should consider adopting formal procedures.
What are the consequences of a breach?
Larger fines for a serious breach will be up to four per cent of an organisation’s annual worldwide turnover or €20 million, whichever is greater. Failing to notify a breach can also result in large fines.
How Bowcock & Pursaill can help
Our Employer Protection Scheme includes a health check of your current policies and practices to identify any compliance breaches and legal updates which are required, together with ongoing expert legal advice.
For more information and a free quotation download our questionnaire and email it to our employment specialist Tim Wolley tw@bowcockpursaill.co.uk
For more information about the EU General Data Protection Regulation and how it affects your business or organisation see the Information Commissioner’s Office website at ico.org.uk/for-organisations