What Is a GDPR Breach?
One more into the breach
A GDPR breach could carry serious consequences, with fines of up to 20 million Euros being enshrined in the regulations for the most serious of breaches. This fear causes some companies to be overzealous in reporting of any situation where there is even a remote risk of any personal data becoming known to third parties. This causes wasted time and resourced for both your business and the Supervisory Authority (in the UK that’s the ICO).
Although it's better to err on the side of caution, after reading this article, you'll find out that although General Data Protection Regulation might be more restrictive than the previous Data Protection Act, it's often being misunderstood. Whilst the most effective option is to hire a Data Protection Officer, it’s a good idea for every organisation to know the basics of the GDPR and what it means when it talks about ‘data breaches’.
What is the General Data Protection Regulation (GDPR)?
GDPR is a regulation that came into effect on 25 May 2018 to make the laws about data protection identical in all member states of the European Union and European Economic Area. As a consequence, companies that do business on the soil of multiple EU countries need only to comply with GDPR, as there are no differences in laws protecting the personal data of individual users (or, as the regulation calls them: data subjects) across the GDPR signatory countries.
This regulation applies not only to all companies in the EU and EEA but to any business that stores or processes personal data of individuals from either of these entities. So if you’re a business in the USA who provides services to he EU/EEA, you need to adhere to the GDPR.
Because of the GDPR, all companies with "professional or commercial activity" that are in any way handling personal data are obliged to have adequate systems in place to protect the privacy of individuals and minimise the possibility of a personal data breach.
How does GDPR define personal data?
Before we delve into this matter further, let's consider what personal data, according to GDPR, really is. In the text of this regulation, we can find a fragment where personal data is defined as "name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
However, one rather common misconception is that companies only need to protect the personal data of their customers, which isn't true. All companies should also protect their employees’ personal data.
How does GDPR define a personal data breach?
This is another subject that is often poorly understood. When we hear of a personal data breach, most of us think of hackers gaining access to databases where the information about customers or any individuals is stored.
Although such a situation would indeed pass for a personal data breach, if we once again look into GDPR, we'll find that it is explained as an "accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."
It means that a data breach isn't in any way limited to situations in which any unauthorised person gained, or could gain access to personal data. Instead, it also includes those in which the data is edited, a data carrier that contains personal data is lost, or if the only copy of such a file is deleted.
The GDPR applies both to data stored digitally, but also to paper documents, though even if an unauthorised person comes into contact with a scrap of paper that describes personal information, it would be a personal data breach. The real-life examples of such occurrences could be, for example:
- Destruction or loss of the only copy of paper documents containing personal data.
- Digital records containing personal data being deleted, accidentally edited or overwritten with no possibility of retrieving the previous version. Regardless of whether it would be a result of an error, omission, or a lack of a necessary training of the employees about handling personal data, it would be considered a data breach.
- Sending by mistake a message containing personal data to an authorised person is another type of data breach. However, the same also applies if a third party gains access to such files through other means – for example, due to the attack of hackers, who could then potentially make this information widely known.
This list by no means includes all of the possible situations that would constitute a personal data breach but rather aims to show that such an occurrence isn't limited to the actions of hackers, nor to unauthorised persons gaining access to digital records of paper documents. Even leaving someone’s name and email address on a post-it note could technically constitute a data breach. However, as in a moment, we'll find out, not all GDPR breaches warrant a need to notify a Supervisory Authority.
When to report a personal data breach?
Another issue that is often confusing is when, according to the GDPR, companies should report to the authorities when a data breach takes place. As it turns out, not every single case of a data breach requires a company to contact a supervisory organisation.
According to the GDPR, there's no need to compose a report if a personal data breach "is unlikely to result in a risk to the rights and freedoms of natural persons." It means that an entity responsible for storing or processing information doesn't have to let authorities know if, due to a mistake, or another reason, there is a data breach. e.g., a risk that an unauthorised person could find a lost pen drive, that in no way could result in negative consequences for an individual.
It really depends on the situation and the type of information that is lost, modified, or shared by mistake. If the "rights and freedoms of natural persons" are in no way threatened, all you need to do is document the event in your breach register. In this situation there is no need to contact the Supervisory Authority about this type of a data breach, though your DPO should still be involved.
How does the GDPR define the risk to rights and freedoms?
Before we proceed to the section in which we'll explain when you should report a personal data breach, let's focus first on what the risk to "rights and freedoms," according to the GDPR is.
If we take a closer look at the regulation, we'll find out that it is defined as a "physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned."
Although the list of possible situations that constitute data breaches (which should be reported) is quite long, it instructs the processors of personal data to report only such situations that could affect the lives of the data subjects negatively.
In the case of most data breaches, such as accidentally modifying the list with the information on data subjects, there wouldn't be a possibility that such occurrence could harm the reputation of individuals, or lead to any financial loss. However, it all really depends on the context and the type of personal data that would be lost, modified, or shared by accident with an unauthorised person.
What should you do in the case of a personal data breach?
However, what if a data breach does, in fact, pose a threat to the aforementioned "rights and freedoms" of individuals? Such an event should be reported within the next 72 hours. Apart from that, those whose lives could be affected should be notified about the data breach in the next 72 hours. Failure to do so could result in substantial fines being imposed on a business that is responsible for the processing of personal data.
It doesn't mean though that if an incident isn’t reported within 72 hours without undue delay, the fine will be an invariable consequence. In an attempt to avoid being faced with a fine, companies often overstress the importance of providing the report about the data breach as soon as possible, often with harm being done to the protection of the customers' privacy.
The first priority should be to ensure that a similar situation won't be possible in the future. Although all the employees whose responsibilities include handling and processing personal data should go through training on this subject, it is also recommended to provide them with regular refresher training on how to avoid data breaches.
In this day and age, it is easy to put security safeguards in place reduce the risk of unauthorised persons accessing files containing personal data, and thus minimising the possibility of a risk to the "rights and freedoms".
However, another thing that we should mention is that every company should avoid providing comprehensive data about customers in multiple files if it’s unnecessary. Usually, there is no such need, and by limiting the amount of information that is stored in a single place, the chances of a data breach taking place would be slim. Only store the data that you really need and securely delete all unnecessary data.
Even if you report the data breach to the Supervisory Authority, you might be found neglecting your responsibilities to implement security systems that would adequately protect the privacy of the users and make breaching the GDPR less likely. The level of fines depends on a multitude of factors – it's even possible that although your company hasn't suffered a breach, GDPR could be violated in another way, such as creating the environment in which such a thing could occur in the future.
However, apart from the fines (the lowest tier is up to €10 million, or 2% of annual turnover, depending on which number is higher), your company could be even banned from processing information of data subjects if the circumstances of the breach of data were particularly problematic.
Although these consequences can seem quite severe, the primary objective of the GDPR is not to punish the businesses that fail to safeguard against the possibility of a personal data breach, but rather to make it less likely that inappropriate handling of the data will result in negative consequences for users, such as loss of reputation, financial loss, or discrimination.
The intent behind this regulation is to encourage data processors to treat the subject more seriously, as it's a matter of fundamental importance. Ultimately, to prevent a data breach from taking place, or at least, making it an unlikely occurrence, ensuring that every employee went through adequate training could be enough.
Depending on the type of data processing with which your business concerns itself, you should consider whether files containing personal data are encrypted, and if not, if there is a chance that they could be accessed by unauthorised personnel. However, even if your company adheres to GDPR guidelines, a personal data breach could happen. Even the best security systems can be undone by human error and honest mistakes.
However, reporting a personal data breach doesn't necessarily mean that your company will find itself in financial troubles. The essential part is to consider what caused the personal data breach and whether the situation could be easily avoided. Before you start drafting a report, focus on taking care of the situation at hand first, so that the possibility of another breach caused in the same way is eliminated. Only then can you proceed to contact the Supervisory Authority.
Unfortunately, it is often the case that business owners attempt to inform the supervisory organisation without taking care of the problem. According to GDPR, the report detailing the data breach should be sent within 72 hours without undue delay, but let's not put the cart before the horse. The ultimate goal of the GDPR is to decrease the likelihood of data breaches, and prioritising reporting over fixing the problem would be the opposite of that.
Conclusion
There is still a lot of confusion surrounding the GDPR. Many business owners in the UK & EU aren't sure what constitutes a personal data breach. The best option for these companies is to invest in an outsourced Data Protection Office service. Bulletproof wrote a blog exploring the roles and responsibilities of a DPO. Although following those regulations might require investing additional resources into the training of the staff, it's not without important reasons, GDPR non-compliance presents a serious risk to your business.
We hope that after reading this article, we have cleared up any confusion. For organisations wanting more detail, we have a GDPR White Paper and webinar that both look at the GDPR in more detail. And for those businesses struggling with getting started, we have our 10 Steps to GDPR Compliance infographic.
Meet your GDPR & data protection obligations
Our GDPR consultants are certified and experienced data protection experts. Find out more about how we support organisations across a range of industry sectors, successfully guiding them through the complex responsibilities of GDPR and data protection.
Learn moreRelated resources
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.