Imagine if your organisation was fined £18.4 million for non-compliance. The executives at the hotel chain Marriott could tell you what it feels like. The company was forced to pay this sum as a result of a personal data breach in 2018. There probably wasn’t a great atmosphere in the office that day.
But management probably felt much better when they learned the fine was initially planned to be £100 million.
What made the £81.6 million difference? Marriott did everything right when it came to data breach reporting. As a result, the authorities showed leniency and significantly reduced the fine.
How an organisation recognises, reports and handles a data breach can make a massive difference to the outcome. Not to mention the way customers view the incident.
If you’re concerned about the consequences of a data breach, read our guide to learn more about how and when you need to report one. Knowing what to do when a breach happens prepares you to protect your reputation and helps compliance with data security legislation.
What is a Data Breach?
To protect individuals from the misuse of their personal data, the UK government passed the Data Protection Act in 2018. The Act implemented General Data Protection Regulation (GDPR) into UK law, creating legislation that’s referred to as UK GDPR.
UK GDPR outlines the principles and rules organisations must follow to protect any data that can be used to identify a person. It’s enforced by the Information Commissioner’s Office (ICO), which can issue fines for non-compliance and personal data breaches.
But despite most organisations’ best efforts to follow GDPR guidelines, personal data breaches still happen. And breaches can mean more than the leaking of personal data. A data breach can involve one or more of the following happening to personal data:
- Accidental or unlawful destruction
- Alteration without permission
- Loss, including the loss or theft of devices containing personal data
- Being shared with the wrong people
- Unauthorised access
It’s assumed that most data breaches result from malicious intent but this isn’t true. The majority are actually caused by human error. Don’t assume security is always the most critical factor in data breach prevention.
Does Every Personal Data Breach Need to be Reported?
No. Not every data breach must be reported to the authorities. The ICO must only be informed if the personal data breach poses a significant risk to an individual’s rights and freedoms.
There’s a self-assessment tool on the ICO’s website that you can use to confirm whether you need to submit a report. Or you can evaluate the situation yourself by considering the following questions:
Was the Personal Data for Living Individuals?
You only need to report data breaches to the ICO when they involve the personal data of living individuals.
Is There a High Risk to the Rights and Freedoms of Individuals?
You need to assess the severity of the risk to individuals’ rights and freedoms. This is a little more difficult to evaluate. Legislation states that risk exists when ‘the breach may lead to physical, material or non-material damage for the individuals whose data has been breached.’
Generally, this means there’s a risk to individuals of:
- Discrimination
- Financial loss
- Reputational harm
- Loss of confidentiality
The ICO recognises that it can be challenging to assess the risk, so they’ve included a few examples of data breaches on their website. These case studies should help you recognise when the risk is serious enough to necessitate a report.
A Serious Personal Data Breach Has Happened – What Now?
You have 72 hours to notify the ICO when you’ve discovered the personal data breach. This time limit counts from when you’ve been made aware of a data breach, not the time of the breach itself. It also includes weekends and bank holidays.
The ICO recognises that 72 hours is not always adequate for an organisation to confirm and investigate a personal data breach. So, they sometimes consider mitigating factors if the time limit expires. However, it’s still best to start the data breach reporting process as soon as possible, even if you don’t have all the facts. The ICO allow reports to be made in phases so prioritise meeting the 72-hour deadline over examining every detail.
How Do I Report to ICO?
The ICO recommends contacting them via phone to report a data breach but there are options to report it online. Online reporting is only appropriate when you’re confident you can manage the breach without the ICO’s support or you’re still in the process of gathering all the relevant information.
If you are in a position to submit a complete report to the ICO, you should include the following:
- What happened to the personal data
- When and how you discovered the breach
- Details of the people who have been (or will be) affected
- What your organisation plans to do next
- Who should the ICO contact at your organisation to follow up
But remember, time is critical here. It might be best to report to the ICO before you provide them with all this information. This will ensure you’re not penalised for missing the 72-hour deadline.
Do I Need to Report the Data Breach to Anyone Else?
You must also notify the individuals whose information was involved in the personal data breach.
GDPR legislation states you should do this without undue delay. You should also offer advice on how individuals can protect themselves from the consequences of the breach, such as changing passwords or being extra vigilant for phishing emails.
Similar to reporting, notifying individuals is only a legal obligation if the data breach poses a significant risk to people’s rights and freedoms. But there are other advantages to being honest.
Informing your customers of any data breaches and offering support helps limit the potential harm to your organisation’s reputation. Hearing about a data breach in the news would understandably leave customers more frustrated than being informed directly. Bear this in mind when weighing your options.
What Happens After the Report?
The outcome will depend on the scope and severity of the data breach. The ICO may conclude your company was non-compliant with GDPR legislation and issue fines or other penalties. But remember what happened with the Marriot hotel company – it’s always best to notify the ICO as soon as possible and assist them in any way you can.
It’s crucial you also stay in touch with affected customers. Letting them know how the breach happened and what you did to resolve it can go a long way in rebuilding trust.
You should also think about how future data breaches can be prevented. This might include the adoption of new security measures. But remember, not all data breaches are the result of malevolent or criminal intent.
An analysis of ICO statistics suggests that around 90% of personal data breaches result from human error. This staggering figure makes it clear that UK workers still have much to learn about GDPR best practices and the safe handling of personal data.
Where Can I Learn More About GDPR Best Practices?
Training your staff is the best way to protect your organisation from the most common cause of a personal data breach. Teaching employees how to process personal data safely helps them maintain data confidentiality and integrity and supports compliance with GDPR legislation.
Our online GDPR Awareness Training explains the fundamentals of data protection. Trainees will develop an awareness of relevant legislation and learn practical ways to handle personal data securely. You’ll promote GDPR compliance in your workplace and help prevent the financial, reputational and legal costs of a personal data breach.
About the author(s)
Jonathan Goby