Last year telecoms company Talk Talk was the subject of a cyberattack in which almost 157,000 customers' personal details were hacked. The company was criticised for its slow response especially the time it took to inform the Information Commissioner’s Office (ICO) and customers. Currently in the UK there is no legal obligation, under the Data Protection Act 1998 (DPA) to report personal data breaches to anyone. However the ICO guidance recommends that serious breaches should be brought to its attention. This is going to change soon.
After four years of negotiation, the new EU General Data Protection Regulation (GDPR) has been formally adopted by the European Parliament. When it comes into force (around May or June 2018), it will represent the biggest change to the European data protection regime in 20 years. For a summary of the Regulation see http://www.infotoday.eu/Articles/Editorial/Featured-Articles/The-new-EU-Data-Protection-Regulation-109425.aspx
The Regulation contains an obligation on Data Controllers to notify supervisory authorities (the ICO in the UK) of personal data breaches. In some cases this extends to the Data Subjects as well. This will have a big impact on Data Controllers both in the public and private sector.
Article 4 of the Regulation defines a personal data breach as:
"a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed"
Article 33 of the Regulation states that as soon as the Data Controller becomes aware that a personal data breach has occurred it should without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority (in the UK the ICO). There is no need to do this where the controller is able to demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals. For example a very minor data breach involving innocuous information about a few individuals. Where the 72-hour deadline cannot be achieved, an explanation of the reasons for the delay should accompany the notification.
The notification must contain the following minimum information:
- a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects and data records concerned;
- the name and contact details of the controller’s Data Protection Officer (now a statutory position) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach;
- a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, to mitigate its possible adverse effects.
Where it is not possible to provide the above information at the same time, the information may be provided in phases without undue further delay.
The new Regulation will require all personal data breaches, no matter how insignificant, to be documented by Data Controllers. This should include the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with Article 33.