Breach Notifications Soar, But It’s Not All Bad News

Social Share
Share this post on

In the latest UK200Group blog post, Ruth Weir, Associate Blackadders LLP discusses the increase in the number of breach notifications made to the ICO since GDPR came into force last year

Ruth Weir
Since the GDPR and Data Protection Act 2018 came into force in May 2018, it has been a busy year in the world of data protection. In particular, there has been a substantial increase in breach notifications made to the UK regulator, the Information Commissioner’s Office (the “ICO”), with total figures for 2018/19 at 13,840, up from 3,311 in the preceding year. While an increase is perhaps unsurprising given the strengthened requirement to report breaches under the new rules, a recent report by Pinsent Masons identified that the UK has seen the highest number of reported data breaches across Europe . Alongside this increase in breach notifications, there has also been an increase in individuals exercising their rights under the GDPR and DPA 2018 and a rise in the number of referrals made to the ICO by individuals (almost doubling in 2018/19 compared with 2017/18).

We are also starting to see the first fines being issued under the new rules, with notices of intention to fine eye-watering amounts released by the ICO recently. While the proposed £183 million fine for British Airways (representing about 1.5% of global turnover) and the £99.2 million fine for Marriot International will likely be appealed and may subsequently be reduced, it has shown the potential for the ICO to use enhanced fines to deter lax data security measures and encourage organisations to take appropriate steps to protect personal data.

Given the eventful start to the new rules, now seems a good time to look at what should organisations be doing when dealing with personal data breaches.

Into the Breach, but what is it?

Firstly, it is important to understand what a data breach is. Under the GDPR, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” A data breach is essentially a security incident that has or could affect the confidentiality, integrity or availability of personal data. It is clear a breach is not only access by an unauthorised third party and organisations should be protecting against other potential threats. Common data breaches could therefore include:

- sending personal data to an incorrect recipient;
- devices containing personal data being lost or stolen;
- disclosing personal data over the phone to an impersonator;
- loss of availability of personal data (either through IT attacks or by flood/fire); or
- leaving personal data in plain sight and someone unauthorised viewing.

It is also important to remember that data breaches can be internal or external, although the impact of an internal only data breach should be less than an external one and easier to mitigate any lasting damage on individuals.

The first annual report from the ICO under GDPR has shown that general business accounts for most breaches (just over 18%) but there is a reasonable spread across all sectors, from health (16.25%) to legal (7.38%), police and criminal records (1.99%) to finance (10.35%). It all shows that no sector is void of data breaches and all organisations need to be aware of responsibilities in respect of such breaches.

There’s been a breach, what to do?

The first thing would be “don’t panic” and remember that all organisations will have a breach at some point. Under the GDPR, if an organisation becomes aware of a breach, it has an obligation to report this to the relevant regulator, and also notify individuals, in certain circumstances. In determining whether to notify, organisations need to look at the likelihood and severity of risk to an individual’s rights and freedoms. If it is likely there is a risk, the ICO must be notified and where there is a high risk of an adverse impact on the individual, organisations should also notify the individual. Notification should take place without undue delay and within 72 hours of becoming aware of the breach. The 72 hour deadline does not relate to working hours so the clock starts ticking as soon as an organisation is aware of a breach, which can be particularly challenging if the breach is identified on a Friday. It is important to notify within the deadline even if all the information is not yet known. The GDPR confirms that information can be provided in stages if required although the expectation is that organisations will prioritise investigating the breach and seek to complete an investigation as soon as possible.

This tight timescale means it is essential that organisations work quickly to contain any breach and assess the risks involved. There are two clear reasons for this, firstly it helps with taking appropriate steps to address the breach and secondly, it helps an organisation understand if notification is required.

How should risk be assessed?

This will need to be considered on a case by case basis, but the guidelines in assessing risk (prepared by the Article 29 Working Party and endorsed by the European Data Protection Board) have suggested the following areas are considered:

- the type of breach involved;
- the nature, sensitivity and volume of personal data;
- how easy it is to identify an individual;
- the severity of consequences for individuals;
- special characteristics of the individual; and
- the number of affected individuals.

There may be other areas which are relevant to a particular breach so it is important that organisations are aware of the data they are processing and the procedures in place so they can see when things have gone wrong. And when assessing risk, a seemingly small change in one area might have a substantial impact on the risk when combined with other points. For example, a breach could affect thousands of individuals but only involved business email addresses so may not represent a risk needing notified but a breach of health of a couple of hundred children would have a much higher risk identified.

Organisations should also be careful not to fall into the trap of assessing everything as high risk and over-reporting. Although it might seem fully transparent and worthwhile to report every small breach, there are good reasons not to do this. Firstly, it is not needed under the GDPR, secondly, it might attract unwanted (and unnecessary) attention from the ICO and thirdly, it might raise questions from individuals as to an organisation’s ability to process data properly.

Organisations are also required under the new rules to keep a record of all breaches (whether or not notified) and failure to do so will be a breach of the GDPR. I would also recommend that a record of near misses is maintained so organisations can identify any patterns or particular vulnerabilities that are arising and address these before a breach occurs.

And What’s The Damage?

The ICO will assess all reported breaches, but clearly given the reported numbers it will not be feasible to take action in all cases so action will ultimately be focused on more serious breaches. In assessing seriousness, the ICO will consider various factors like the cause of the breach, the individuals affected, the detriment to those individuals, the type of data and any remedial steps taken to mitigate the impact and prevent recurrence.

There are various enforcement actions that the ICO can take, varying from no action (most of the breaches from 2018/19 have resulted in no action for the controller (82%)), enforcement notices requiring organisations to take, or refrain from taking, certain steps (in 2018/19 about 17% of the breaches notified had enforcement notices issued), and penalty notices or fines (which accounted for 0.05% of the breaches in 2018/19).

The low level of penalty notices issued ties in with ICO’s statement that it wants to get organisations compliant rather than pursue fines. It is also worth noting that the level of fine which could be imposed by the ICO for a data breach is the standard maximum amount – €10,000,000 or 2% of global turnover. While not the higher maximum amount, there is clearly and incentive not to cause a breach and avoid a fine at all costs.

Don’t Wait For It, Plan For It!

A data breach is something that can happen to any organisation, and the consequences can extend well beyond financial penalties, impacting reputation and trust which can be harder to overcome. There is a lot to consider but the best approach is to plan for one and organisations should be able to deal with it quickly and efficiently, hopefully avoiding any last damage on individuals or the organisation involved. Taking simple steps can help with planning and also reduce the risk of breaches occurring in the first place, so organisations should consider training staff on what a breach is (so everyone knows how to identify a potential breach) and encouraging responsibility for preventing breaches and controlling the flow of personal data by getting staff to confirm who is on the phone before discussing matters, preventing the use of autofill emails, encrypt removable devices and encouraging staff to lock drawers. If organisations take the time before a breach to have an appropriate procedure in place to identify breaches and styles to notify the ICO and individuals it means they should be able to notify the ICO within 72 hours if needed, and also allows early mitigation steps to kick in.

Final Thoughts

When looking at the numbers in the ICO’s annual report in isolation, it would be easy to assume that there have been more data breaches and organisations falling foul of the new rules. However, the flip side is that organisations are struggling to assess the reporting requirement effectively due to the lack of guidance from the ICO, resulting in over reporting to err on the side of caution. What is clear is the importance of not burying heads in the sand and taking a proactive and responsible approach to data protection, especially with the ICO using their enhanced enforcement powers to drive home that data protection is a board level issue.


Tags: UK200

Back to Blogs
Facebook Twitter LinkedIn YouTube