It feels like a good time to congratulate ourselves for stepping up to our responsibilities, and complying with the GDPR. We’ve published our privacy policies, we’ve updated our marketing consents, we’ve deleted old data and set up new data protection procedures. And by keeping our, slightly apprehensive, eyes on the ICO enforcement actions, we’ve learnt from the non-compliance mistakes of other organisations.
We’re so thorough and focussed on our compliance in fact, that we’re actually, possibly, being too good at it. I am talking specifically about complying with the GDPR obligation to report personal data breaches.
Are we over-reporting?
James Dipple-Johnstone, deputy information commissioner, told attendees of the CBI Cyber Security Business Insight Conference last month, that a third of data breach reports received in the past few months don’t meet the ICO’s reporting threshold. We are over-reporting our data breaches. Hardly surprising, given the rhetoric pushed out by the ICO over the past year or so. We’ve been urged to be transparent, to build a relationship and to co-operate with the ICO rather than hide our mistakes (and our breaches).
So when big breaches make big headlines, and the roll call of fines to companies great and small continues to grow, it’s no wonder we’re erring on the side of caution. We have the added time pressure of reporting (reportable) breaches within 72 hours of discovery, and we’ve had few place holders for what constitutes a likely risk to the rights and freedoms of natural persons – the criterion of a reportable breach.
What makes a data breach reportable?
The ICO held a webinar over the summer on data breach reporting, in which they explained that risk means “more than remote chance of harm or damage taking place.”
The European Data Protection Board (EDPB) guidance on reporting breaches provides some further assistance in determining whether a breach is likely to result in a risk. Factors to take into account are:
- the nature, sensitivity and volume of personal data affected;
- the type of breach;
- how easy it is to identify the individual data subjects;
- any special circumstances of the data subject(s) or the controller; and
- the severity of possible harm, for example whether it could result in identity theft or fraud, physical harm, psychological distress, humiliation or damage to reputation.
There is a higher threshold for the requirement of controllers to communicate personal data breaches to the data subjects, which is that the breach is likely to result in a high risk to the rights and freedoms of natural persons. A high risk should be assessed by the same factors as above, but the risk is high if the breach is more likely to impact data subjects, or the severity of the potential impact is greater.
Still not sure whether it’s worth reporting?
Despite this guidance, which has been available since before May, there remains a fair amount of uncertainty. The deputy commissioner said in his speech at the CBI conference that they “will be working with organisations to try and discourage this [unnecessary reporting] in future once we are all more familiar with the new threshold”.
We may be treated to a code of conduct for reporting breaches in future, but in the meantime the ICO has issued a personal data breach reporting guidance page, at https://ico.org.uk/for-organisations/report-a-breach/.
Our advice? Avoid knee-jerk reactions and use your 72 hours wisely. There are no brownie points for reporting within the first hour of discovery rather than the 71st. Determine the facts and carry out a thorough risk assessment. Once arrived at this stage, it’s likely that you will know whether it is something you genuinely need to report.
To learn more or for help with data protection, GDPR compliance or any IT legal issues, email [email protected] or call 0191 211 7777.