As has been much talked about, under the GDPR a data breach must be reported by a data controller within 72 hours of becoming aware of the breach where the breach crosses the required reporting threshold. In simple terms, a breach must be reported to the ICO unless it is unlikely to result in a risk to the rights and freedoms of a living individual. The test for reporting to the relevant individual is higher; in that case, a breach must be reported if it is likely to result in a high risk to the rights and freedoms of the individual.
Assessing your reporting obligations
When considering whether or not a data breach needs to be reported, either just to the Information Commissioner’s Office or additionally to the individual whose data has been lost, the ICO recommends using the “CIA Triad”. This provides that you should consider whether there is a breach of security that has compromised the:
• Integrity or
of Personal Data.
What amounts to a breach of confidentiality?
To give further clarity, a breach of confidentiality would include the unauthorised or accidental disclosure of, or access to, Personal Data, a breach of integrity would include the unauthorised or accidental alteration of Personal Data and a breach of availability would include the unauthorised or accidental loss of access to, or destruction of personal data.
As part of the assessment of the breach, and whether an obligation to report has been reached, you should undertake a risk assessment to help reach your decision. This requires you to take into account a combination of the severity of the breach and the likelihood of potential negative consequences arising from it. There are many factors to consider, which would include the type of breach, the nature, amount and sensitivity of the personal data, the potential consequences of the breach, how easy it is to identify individuals from the data and whether there are any special circumstances that relate either to you as the data controller, or to the individual whose data has been lost.
One message that has been received from the ICO is that it is important not to over-report, either to it or to the individuals. In particular, the ICO does not want to see individuals suffering from “notification fatigue”, whereby they receive so many notifications from businesses about data breaches that the significant ones get lost in the mass.
That reinforces the need to undertake a careful risk assessment when you discover a breach and report where necessary – but not report everything just to be transparent. Whilst the threat of the fines that the ICO can levy might tempt you to notify each and every data breach, that approach is equally not the right one to take.