When and How to report GDPR personal data breaches (Article 33)

What to do in case of a GDPR personal data breach – everything you want to know and more

The Data Protection Act was brought in in 2018. It controls and monitors how UK businesses and organizations use your personal data and information, such as credit, payment card, financial information, social security numbers, and any sensitive data. Breach of data protection must be acted responsibly in line with the established guidelines.

You can watch the condensed version of this article here:

Under the act, it is up to everyone to ensure that they use data wisely and adhere to the data protection principles that are laid down in the act, which are:

• Data is used legally, lawfully and is transparent.
• Data is used only for specified and explicit purposes.
• Data is only used in ways that are relevant and adequate and limited to only what is necessary.
• Data is handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage.

For a full understanding, you may read 8 principles of the Data Protection Act. There is still a considerable misunderstanding of what constitutes a data security breach. It had led to many companies and organizations reporting so-called data breaches to ICO when, in fact, that was not the case. Here is a helpful read on GDPR vs DPA. Remember this statement coming from our national authority on the subject.

You do not need to report every breach to ICO.

What is a breach of data protection?

According to the General Data Protection Regulation, a personal data breach is ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (Article 4, definition 12).

The definition of personal data has also been widened to include online identifiers such as IP addresses, mobile devices, phone numbers, online identities, etc.

Data protection breach examples

One of the common examples of a data protection breach is a cyber-attack that permeates all your cybersecurity efforts.

The following is a list of a few personal data breach examples :

• data loss or data theft of USB drives, computer systems, laptops or mobile devices
• unauthorised access to devices, networks or computer systems storing sensitive data
• emails containing sensitive information sent to the wrong recipients
• insider attacks where disgruntled employees exfiltrated or upload sensitive data such as customer contacts or records

In 2020 alone, 36 billion records were exposed by a hackers cyber attack. 86% of the breaches were motivated by financial gain.

For breach of the Data Protection Act, in 2019, ICO had fined a London-based pharmacy £275,000 after failing to secure a special category data. Doorstep Dispensaree Ltd had left  500,000 documents exposed at the back of its premises that contained medical records and PII (personally identifiable information).

There are others, though, such as a computer error allowing others to view personal data. A staff member copying customer data on a USB stick and shares it with others. Or as recently happened when 150,000 arrest records were accidentally deleted.

The most significant data breach in history was experienced by Yahoo in 2013 when so-called ‘state-sponsored hackers accessed over 3 billion user accounts.

To decide whether an actual data breach has occurred, it is advisable to take each case on its own merits. However, if an organization decides that a data breach did not happen, they are still obliged to give reasons formally. This is to protect themselves from future challenges.

How quickly should a data breach be reported?

If and when you discover that there has been a data breach – what do you do? How do you go about reporting a data breach, and who do you report it to? How long to report data breach?

According to the Information Commissioner’s Office, there is still considerable confusion on the reporting process.

Any breach of personal data should be reported to the information commissioner’s officer within what time frame?

72 hours

GDPR Article 33 relates to the notification of a personal data breach to the authorities. The important aspect of GDPR data breach reporting time is that it must be done within 72 hours of the breach. Those first 72 hours are critical. GDPR requires all agencies and companies to report to the appropriate authorising authority without undue delay, and this must be done within 72 hours.

The key to the reporting protocol is that data breaches only need reporting where the breach would impact an individual, causing them economic stress, social damage such as discrimination, financial loss, or reputational damage.

The problem comes in many organizations in that there is sometimes a lack of understanding of the GDPR requirements or an over-caution element.

Some organizations view that it is better to report all data breaches’ incidences to protect themselves from being reported on by others.

However, there is some caution around over-reporting. Sometimes, an organization will report what they thought is a data breach without having all the facts to hand. Sometimes this can lead to a considerable amount of unnecessary ‘form filling’ and can lead to actions being taken that are unnecessary.

What information needs to be reported?

Reporting information should contain the following, as required by the ICO.

1. Analysis of the situation – Here, you must provide as much information as possible around the data breach context. How the data breach has and could impact your organization and its damage may or may not cause. If you don’t have all the required information available, GDPR article 33  allows you to provide the information as and when it is available. This information must be supplied without undue delays.
2. Impact – There is a requirement to identify what categories of personal data have been in breach and the number of records that the breach may have impacted.
3. GDPR data knowledge – If the data breach has been caused by human error, the ICO will need to know if the individual or individuals concerned have received adequate data protection training or staff development within a period of the last two years. If they have, then you will need to provide details of the training.
4. Data Breach impact – You will need to outline what the breach could mean for the affected individuals. The severity of this will depend on what type of information has been compromised and if the breach subjects are aware.
5. Data Breach prevention – Outline to the commission what preventative measures you may have taken before the breach occurred. You need to outline any steps you have taken to protect data and your plan to deal with the recent breach and minimize any damage to the individuals concerned.
6. Finally, the ICO will need to know who your Data Protection Officer (or the reporter) is.

There should be a real emphasis on protecting the rights and freedoms of the individuals involved. Any breach that may lead to press and media involvement needs to be reported at the earliest opportunity.

You may also need to be aware that you might have your own industry and professional bodies that will need to be mindful that you have had a breach and the outline of that breach.

What happens after reporting?

Once you have reported your data breach, you will acknowledge the ICO that they have received your communication.

Your case will then be added to a list of active cases that the ICO will investigate.

If the ICO deems that your case is an active violation of the GDPR, it becomes a bit more serious. They may instigate a formal investigation into the breach, which can, in some cases, also follow on to a criminal investigation.

If your case is deemed severe, involves a substantial data breach, and is likely to be the subject of media attention, then your case is usually given priority.

The bottom line is that some breaches can be very costly if you consider the data breach at Marriot Hotels’ chain in 2019, which ended up costing the chain £99 million in fines!

What are the consequences of failing to report a data breach adequately?

You may decide that even though you have had a data breach you will not report it. Not a good idea.

Failure to comply with data protection legislation can lead to an administrative fine up to £17.5 million (20 million euros) or 4% of annual turnover, whichever is higher.

If you fail to report a data breach, it is liable to attract a substantial fine from the ICO. However, this is usually the last resort for serial offenders – it may be more likely that you get an audit and scrutiny of your compliance measures.

Failure to notify ICO about a breach of data protection may attract a fine of up to €10 million or 2 % of global turnover. Based on violation severity and ICO’s corrective powers under Article 58, these fines may add up to €20million, or 4% of global turnover, whichever is greater.

Who enforces breaches of the GDPR?

The ICO issues sanctions for UK GDPR breaches, including warnings, bans on data processing and fines/penalties. The ICO (Information Commissioner’s Office) is a non-departmental body reporting directly to the Parliament of the United Kingdom, sponsored by DCMS (Department for Digital, Culture, Media and Sport).

Where do GDPR fines go?

All GDPR fines collected by ICO are deposited into the Treasury’s Consolidated Fund and not kept by the Information Commissioner’s Office.

Can I be sacked for breaching data protection?

Believe it or not, there are many ways that you can risk breaching data protection, and unless you have been thoroughly trained in GDPR practices, you might not be aware of it. Some instances may include:

• Responding to work emails via your personal mobile devices after hours
• Responding to work emails during travel or lunch breaks
• Using unauthorised apps such as Whatsapp
• Using social media for work communications
• Forwarding customer or client emails to your personal email accounts

The dismissal for such a breach can usually be found in the HR policies that your employer should provide for you. However, there are certain things you can do to mitigate the chance of inadvertently creating a data breach:

• Don’t use personal accounts or unapproved tools to deal with work communications.
• Make sure you are familiar with your workplace GDPR policies.
• If you are unsure, speak to your HR department.
• Make sure you are adequately trained in all aspects of GDPR that may impact your work.

What to do if my personal data is breached?

If you have been involved in a data breach and have been notified by the company concerned, there are several things you can do to mitigate any personal or financial loss.

One of the first things to do is change usernames and passwords on email addresses and personally identifiable information. A survey carried out by Google in 2019 found that 65% of us use the same passwords for multiple accounts online. If you are subject to a data breach, make sure you change all passwords or start to use a password manager.

Secondly, keep a close eye on your bank accounts and debit or credit cards. If you notice any suspicious transactions, contact your bank at once and report them. Also, check your credit report to ensure there have been no credit applications made in your name.

Thirdly, to really give yourself protection, you can opt to freeze your credit. There is no cost to this, and it means that no one can take any credit out in your name. You can do this by contacting the credit agencies in your particular country.

Can individuals be fined under GDPR?

Under UK GDPR, yes if an individual is self-employed and processing data for business activities.
GDPR does not apply to data processing by an individual purely for personal reasons (or household activities).

For EU GDPR, while the GDPR does not specifically set out fines and penalties for individuals, individuals can still come under the scope for infringements of GDPR under national. This is applicable because member states apply the GDPR regulation to their national law.

What happens if an employee breaches GDPR?

Breaching GDPR may attract hefty fines and can have major consequences for the business. As a result, if an employee is found as the main reason behind the GDPR breach, that person may face disciplinary action.
There are examples of employees being prosecuted for data protection breaches in the past.
1. A former NHS manager admitted to unlawfully accessing personal data and was fined for emailing personal data to his own email account.
2. A recruitment consultant was prosecuted in relation to unlawfully obtaining client data. In breach of data protection, this consultant emailed the personal data of around 100 clients and potential clients to her personal email.

Can you get compensation for a breach of data protection?

There is still some confusion regarding the question of compensation when it comes to a data breach. Although 80% of people now know what GDPR is, many are still not aware of their rights if they have been victims of a data breach. Regardless of the size of the company concerned, they should still be held accountable for any mistreatment or loss of data that could cause you financial or distressing harm.

Although one in five people have been exposed to a data breach, there is still uncertainty about what can be done. Only a small percentage of victims of a data breach actually make a claim. In a recent survey, only 7% made a claim, with 37% not realizing they could make a claim and 24% stating that the issue wasn’t big enough to make any claim.

The short answer is yes. If you are an EU resident, you are entitled to claim if you have suffered ‘material’ or ‘non-material’ damage as part of a data breach. You can claim compensation if you have suffered financial loss or some other form of distress.

One of the first things you might do is contact the ICO and file a complaint against the organization concerned. Although the ICO cannot award you directly, they can help your legal case investigate your claim and make recommendations.

If you have suffered some form of distress or anxiety due to a data breach, you can also claim compensation for any treatment you might require, such as counselling sessions.

How much compensation can you claim for a data protection breach?

Many law firms out there will act on your behalf when it comes to a data breach where you have suffered some aspect of loss or distress. Their fees vary, and you must check that out before making a claim.

How can we help you?

Cyphere helps businesses protect their most prized assets by securing their cybersphere. As a cyber security services provider, we have extensive IT security compliance assessments related to GDPR security testing, DPA 2018, ISO 27001, PCI DSS and other regulatory requirements. We carry out independent security assessments to identify gaps and provide practical advice to help customers minimise their risks.

A starting point is realising what you classify as sensitive, who has access, why they access it, and the surrounding controls to prevent data breaches. A technical gap analysis such as a cyber health check would help to identify the blind spots in your networks, applications and systems in use. This indication also includes advice on how best to mitigate your risks without any product endorsements or other commercial inclinations.

Get in touch to discuss your primary security concerns.