When and How to report GDPR personal data breaches (Article 33)

Share on facebook
Share on twitter
Share on linkedin
Share on email
breach of data protection

Stay up to date

Stay up to date with the latest threat reports, articles & mistakes to avoid.

Simple, yet important content.
No salesy pitches and all that, promise!

What to do in case of a GDPR personal data breach – everything you want to know and more

The Data Protection Act was brought in in 2018, and it controls and monitors the way that UK businesses and organizations use your personal data and information, such as credit, payment card, financial information, social security numbers, and any sensitive data. 

Under the act, it is up to everyone to ensure that they use data wisely and adhere to the data protection principles that are laid down in the act, which are:

  • Data is used legally, lawfully and is transparent
  • Data is used only for specified and explicit purposes.
  • Data is only used in ways that are relevant and adequate and limited to only what is necessary.
  • Data is handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage

There is still considerable misunderstanding on what constitutes a data breach. It has led to many companies and organizations reporting so-called data breaches to ICO when in fact, that was not the case. Here is a helpful read on GDPR vs DPA. Remember this statement coming from our national authority on the subject. 

You do not need to report every breach to ICO.

What is breach of data protection?

According to the General Data Protection Regulation, a personal data breach is ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (Article 4, definition 12).

The definition of personal data has also been widened to include online identifiers such as IP addresses, mobile devices, phone numbers, online identities, etc.

Examples of a data breach

One of the common examples of a data breach is a cyber-attack that permeates all your cybersecurity efforts.

In 2020 alone, 36 billion records were exposed by a hackers cyber attack. 86% of the breaches were motivated by financial gain.

For breach of Data Protection Act, in 2019, ICO had fined a London-based pharmacy £275,000 after failing to secure a special category data. Doorstep Dispensaree Ltd had left  500,000 documents exposed at the back of its premises, that contained medical records and PII (personally identifiable information). 

There are others, though, such as a computer error allowing others to view personal data. A staff member copying customer data on a USB stick and sharing it with others. Or as recently happened when 150,000 arrest records were accidentally deleted.

The most significant data breach in history was experienced by Yahoo in 2013 when over 3 billion user accounts were accessed by so-called ‘state-sponsored hackers’.

To decide whether an actual data breach has occurred, it is advisable to take each case on its own merits. However, if an organization decides that a data breach did not happen, they are still obliged to give reasons formally. This is to protect themselves from future challenges.

Data breach examples

How long do you have to report a data breach?

If and when you discover that there has been a data breach – what do you do? How do you go about reporting a data breach, and who do you report it to?

According to the Information Commissioner’s Office, there is still a considerable amount of confusion on the reporting process.

The important aspect of reporting a data breach is that it must be done within 72 hours of the breach taking place. Those first 72 hours are critical. GDPR requires all agencies and companies to report to the appropriate authorising authority without undue delay, and this must be done within 72 hours.

The key to the reporting protocol is that data breaches only need reporting if it is felt that the breach would have an impact on an individual causing them economic stress, social damage such as discrimination, financial loss, or reputational damage.

The problem comes in many organizations in that there is sometimes a lack of understanding of the GDPR requirements or that there is an element of over-caution.

Some organizations take the view that it is better to report all incidences of data breaches to protect themselves from being reported on by others.

However, there is some caution around over-reporting. It can sometimes happen that an organization will report what they thought is a data breach without having all the facts to hand. Sometimes this can lead to a considerable amount of unnecessary ‘form filling’ and can lead to actions being taken that are unnecessary.

What information needs to be reported?

Reporting information should contain the following, as required by the ICO.

  1. Analysis of the situation – Here, you must provide as much information as possible around the context of the data breach. How the data breach has and could impact on your organization and what damage it may or may not cause.
  2. Impact – There is a requirement to identify what categories of personal data have been in breach and the number of records that may have been impacted by the breach.
  3. GDPR data knowledge – If the data breach has been caused by human error, the ICO will need to know if the individual or individuals concerned have received adequate data protection training or staff development within a period of the last two years. If they have, then you will need to provide details of the training.
  4. Data Breach impact – You will need to outline what the breach could mean for the affected individuals. The severity of this will depend on what type of information has been compromised and if the subjects of the breach are aware.
  5. Data Breach prevention – Outline to the commission what preventative measures you may have taken before the breach occurred. You need to outline any steps that you have taken to protect data and your plan to deal with the recent breach, and how you will try to minimize any damage to the individuals concerned.
  6. Finally, the ICO will need to know who your Data Protection Officer (or the reporter) is.

There should be a real emphasis on the protection of the rights and freedoms of the individuals who may be involved. Also, any breach that may lead to press and media involvement needs to be reported at the earliest opportunity.

Discuss your concerns today

Although the 72-hour rule is not sacrosanct, if you find that you are going to miss the deadline, contact the Information Commissioner’s Office (ICO) to let them know.

You may also need to be aware that you might have your own industry and professional bodies that will also need to be mindful that you have had a breach and the outline of that breach.

How to report data breach

What happens after reporting?

Once you have reported your data breach, you will get acknowledgment from the ICO that they have received your communication.

Your case will then be added to a list of active cases that will be investigated by the ICO.

If the ICO deems that your case is an active violation of the GDPR, then it becomes a bit more serious. They may instigate a formal investigation into the breach, which can, in some cases, also follow on to a criminal investigation.

If your case is deemed severe, involves a substantial data breach, and is likely to be the subject of media attention, then your case is usually given priority.

The bottom line is that some breaches can be very costly if you consider the data breach at the chain of Marriot Hotels in 2019, which ended up costing the chain £99 million in fines!

What are the consequences for failing to adequately report a data breach?

You may decide that even though you have had a data breach that you will not report it. Not a good idea.

If you fail to report a data breach, it is liable to attract a substantial fine from the ICO. However, this is usually the last resort for serial offenders – it may be more likely that you get an audit and scrutiny of your compliance measures. 

Failure to notify ICO about a breach of data protection may attract a fine up to €10 million Euros or 2 % of global turn over. Based on violation severity and ICO’s corrective powers under Article 58, these fines may add up to €20million Euros, or 4% of global turnover whichever is greater. 

Can I be sacked for breaching data protection?

Believe it or not, there are many ways that you can risk breaching data protection, and unless you have been thoroughly trained in GDPR practices, you might not be aware. Some instances may include:

  • Responding to work emails via your personal mobile devices after hours
  • Responding to work emails during travel or lunch breaks
  • Using unauthorised apps such as Whatsapp
  • Using social media for work communications
  • Forwarding customer or client emails to your personal email accounts

The question of dismissal for such a breach can usually be found in the HR policies which your employer should provide for you. However, there are certain things you can do to mitigate the chance of inadvertently creating a data breach:

  • Don’t use personal accounts or unapproved tools to deal with work communications.
  • Make sure you are familiar with your workplace GDPR policies.
  • If you are unsure, speak to your HR department
  • Make sure you are adequately trained in all aspects of GDPR that may impact your work.

What to do if my personal data is breached?

If you have been involved in a data breach and have been notified by the company concerned, there are several things you can do to mitigate any personal or financial loss.

One of the first things to do is to change usernames and passwords on email addresses and any personally identifiable information. A survey carried out by Google in 2019 found that 65% of us use the same passwords for multiple accounts online. If you are subject to a data breach, make sure you change all passwords or start to use a password manager.

Secondly, keep a close eye on your bank accounts and debit or credit cards. If you notice any suspicious transactions, contact your bank at once and report it. Also, check your credit report to make sure there have been no credit applications made in your name.

Thirdly, to really give yourself the protection, you can opt to freeze your credit. There is no cost to this, and it means that no one can take any credit out in your name. You can do this by contacting the credit agencies in your particular country.

Can you get compensation for breach of data protection?

There is still some confusion out there regarding the question of compensation when it comes to a data breach. Although 80% of people now know what GDPR is, many are still not aware of their rights if they have been the victim of a data breach.

Regardless of the size of the company concerned, they should still be held accountable for any mistreatment or loss of data that could cause you financial or distressing harm.

Although one in five people have been exposed to a data breach, there is still uncertainty about what can be done.

Only a small percentage of victims of a data breach actually make a claim. In a recent survey, only 7% made a claim, with 37% not realizing they could make a claim and 24% stating that the issue wasn’t big enough to make any sort of a claim.

The short answer is yes. If you are an EU resident, you are entitled to make a claim if you have suffered ‘material’ or ‘non-material’ damage as part of a data breach. You can claim compensation if you have suffered financial loss or some other form of distress.

One of the first things you might do is to contact the ICO and file a complaint against the organization concerned. Although the ICO cannot award you directly, they can help your legal case as they will investigate your claim and make recommendations.

If you have suffered some form of distress or anxiety as a result of a data breach, you can also claim compensation for any treatment you might require, such as counselling sessions.

Discuss your concerns today

One of the popular questions is how much compensation could you claim? Like anything of this nature, this will depend on the nature and severity of the loss or distress caused.

There are many law firms out there that will act on your behalf when it comes to a data breach where you have suffered some aspect of loss or distress. Their fees vary, and you must check that out before making a claim.

How we can help you?

Cyphere helps businesses protect their most prized assets by securing their cyber sphere. As a cyber security services provider, we have extensive experience around IT security compliance assessments related to GDPR, DPA 2018, ISO 27001, PCI DSS and other regulatory requirements. We carry out independent security assessments to identify gaps and provide practical advice to help customers minimise their risks.

In order to prevent data breaches, a starting point is realising what do you classify as sensitive, who has access, why they access it and the surrounding controls. A technical gap analysis such as cyber health check would help identifying the blind spots in your networks, applications and systems in use. This indication also includes advice on how best to mitigate your risks without any product endorsements or other commercial inclinations. 

Get in touch to discuss your primary security concerns.

Table of Contents