Data breaches under the GDPR: Five key questions

This summary provides a very brief overview of the legal and commercial issues you should consider if you suffer a personal data breach under the EU General Data Protection Regulation (the “GDPR”). It just considers the position in the UK. However, similar obligations apply in other EU Member States.

1. What does the law say?

Where a controller1; suffers a personal data breach, that controller must:

  • record that breach and remedial steps taken in relation to the breach;
  • if the breach creates risks for individuals, report that breach to the Information Commissioner within 72 hours of becoming aware of the breach, where feasible; and
  • if the breach creates high risks for individuals, inform those individuals of the breach without undue delay2.

A personal data breach is one that affects the confidentiality, integrity or availability of personal data. Importantly, the breach does not have to involve a third party acquiring the information. Accidental deletion of personal data or ransomware attacks are also caught. In addition, the GDPR is only relevant if the breach involves personal data (e.g. information about employees or consumers). If the breach only involves corporate information (e.g. financial results), these obligations will not be triggered.

Whether the personal data breach creates “risk” or “high risk” is a question of fact. For example, if a confidentiality breach involves information such as names, dates of birth and bank account information, the individuals might be vulnerable to identity theft and so the breach should be treated as high risk.

The information received in the early stages of a serious data breach is not always accurate or complete. However, if you are aware of a personal data breach that creates risk, you should normally report it to the Information Commissioner even if you will need to provide further information when it becomes available. Only in limited circumstances will it be possible to argue that notification within 72 hours is not “feasible”.

A controller can suffer a personal data breach in respect of personal data held by its processor. The contract with the processor should include an obligation on the processor to inform their controller when a personal data breach has occurred.

2. How do I report a breach to the Information Commissioner?

The Information Commissioner’s current practice is to ask that breaches are reported by telephone (though in some cases they may ask for confirmation in writing).3

Notification can also be made by completing a pro-forma word document and emailing it to the Information Commissioner. This can be used if you are confident you have dealt with the breach appropriately or you want to report the breach outside normal opening hours. In practice, if you are going to report the breach by telephone, it would be sensible to complete the online form beforehand to ensure you have the relevant information to hand.

3. What other issues should I consider?

Reporting the personal data breach to the Information Commissioner is only part of your response to the data breach. Other measures to consider include:

  • Investigate the cause of the personal data breach and ensure the information you receive is correct and accurate. The information received in the early stages of a serious data breach is not always accurate.
  • Take steps to prevent any reoccurrence (e.g. closing security vulnerabilities). This is normally the most important part of any breach response.
  • Take steps to mitigate the effects of the personal data breach on the relevant individuals. This might involve notifying the individuals of the breach and/or offering protection against identity theft.
  • Manage the public relations fall-out from the breach. If the breach is serious, you should prepare appropriate press releases and track when the story is about to break. You should aim to: “Tell it first, tell it fast, tell it all”.
  • Consider whether you need to notify anyone else about the breach, for example your insurers, the police, the National Cyber Security Centre or payment card networks.
4. What is my potential liability?

There are two potential areas of liability under the GDPR:

  • The Information Commissioner could take regulatory action. The most severe sanction would be the imposition of a fine (a penalty notice). That fine could, in theory, be for the greater of €10 million or 2% of annual worldwide turnover. In practice, the UK Information Commissioner never issued the maximum fine available under the old Data Protection Act 1998 (£500,000). She has described the suggestion she will simply scale fines up to the new limits under the GDPR as nonsense. In addition, the Information Commissioner is expecting around 30,000 breach notifications a year. Only a small proportion will likely result in enforcement action.
  • Private claims by individuals for damage or distress caused by the breach. Such claims have historically been rare but are becoming more common.
5. What other areas of law should I consider?

The GDPR is not the only area of law or potential liability to consider if you suffer a personal data breach. Other issues to consider include:

  • Whether there is an obligation to inform other sectorial regulators. For example, the Financial Conduct Authority expects to be told about anything of which it would reasonably expect notice. This will include serious data breaches.
  • Operators of critical infrastructure and certain online operators must notify security incidents within 72 hours under the Network and Information Systems Regulations 2018.
  • Telecoms providers must notify security breaches to the Information Commissioner within 24 hours under the Privacy & Electronic Communications (EC Directive) Regulations 2003.
  • Contractual and/or tortious liability to counterparties (including other companies).

A checklist for dealing with personal data breaches is available on request from your usual contact at Linklaters.

1.Under the GDPR, the controller is the person who decides how personal data is used. It contrasts with a processor, who simply acts on the instructions of the controller.
2.The key obligations are set out in Articles 33 and 34 of the GDPR and in the Article 29 Working Party Guidelines on personal data breach notification (WP 250).
3.See https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/