Personal data breach
A personal data breach is described as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
In general terms, a personal data breach is therefore a security incident that has affected the confidentiality, integrity or availability of personal data and may involve:
- access by an unauthorised third party including unauthorised staff;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission; or
- loss of availability of personal data.
In summary, when any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example encrypted by ransomware, a personal data breach will have occurred.
The effect upon an individual
Some personal data breaches will not lead to risks beyond inconvenience, but others can adversely affect individuals whose personal data has been compromised. This can include emotional distress, and physical and material damage.
If not addressed, a breach can cause significant damage; for example, an individual may suffer from identity theft or fraud, financial loss, damage to reputation, or other significant economic or social disadvantage. In responding to a personal data breach a controller and processor must, therefore, consider all relevant factors and objectively assess the risks to an individual.
Controllers should already have made some assessment of the risk that the processing poses to individuals, and taken it into account, when determining what level of security was appropriate for the personal data being processed. However, an example of methodology that can be used to assess the severity of risk to individuals of personal data breaches can be found below.
Controllers are required to notify a personal data breach to the Commissioner without undue delay and, where feasible, within 72 hours after becoming aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of an individual.
If a personal data breach is likely to result in a high risk to the rights and freedoms of affected individuals, then the controller must also inform affected individuals without undue delay.
Where a processor suffers a personal data breach, the processor must notify the controller without undue delay.
These obligations are set out in Articles 33 & 34 and further explained in Recitals 85 to 88 of the Applied GDPR.
What can happen if a personal data breach is not notified?
Failing to notify a breach when required to do so can result in a penalty of up to £1,000,000. The Commissioner may also combine a penalty with other corrective powers under Article 58 of the Applied GDPR.
Controllers subject to the supervision of an EU data protection authority may be subject to a penalty up to €10 million or 2 per cent of global turnover.
It is therefore important to have a robust breach-reporting process in place.