Anna Drozd, policy adviser on professional issues at our Brussels Office, explains what personal data breaches are and how to report them under the GDPR.
Keeping client data safe is nothing new for solicitors - not least because it ties in with the duty of confidentiality).
Under the Data Protection Act 1998 there is no obligation to report personal data breaches. However, the advent of the General Data Protection Regulation (GDPR) will introduce a data breach notification requirement and potentially high penalties for non-compliance.
So what is a personal data breach?
The GDPR defines it as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4(12)).
Will it need to be notified?
Yes, when it is likely to “result in a risk to the freedoms and rights of natural persons” (Article 33).
The data controller must notify the breach to the supervisory authority (which in the UK is the ICO). If the breach results in a risk to their freedoms and rights, and if there is a high risk, they must in addition report the breach to the data subjects themselves (Article 34, subject to several exceptions).
When will you need to notify the breach?
Within 72 hours after becoming aware of it, so the deadline is a tight one. This is 72 hours full stop - so weekends, holidays etc are not factored in. If you do not meet the 72 hour deadline, you must justify the reasons for the delay.
What should be notified to the supervisory authority?
Article 33 of the GDPR specifies that the notification to the supervisory authority must include:
- the nature of the data breach (including the categories of data, number of data records or number of data subjects affected)
- name and contact details of the data protection officer
- likely consequences of the breach
- measures taken to address the breach
Will I have to keep records of personal data breaches?
Yes, according to Article 33(5) your firm will have to maintain documentation on data breaches, their nature and what remedial actions you took.
What are the sanctions for failure to report a breach?
Fines can be up to €10m or 2% of the total worldwide annual turnover of the previous financial year, whichever is higher. This is quite apart from the substantial reputational damage caused by a breach, which could in turn have even more serious consequences for the business than the penalty itself.
The key is to have systems in place to minimise risk of breach in the first place, but you should also make sure that you have processes in place to ensure speedy notification if a breach does occur.
The Article 29 Working Party is consulting on draft guidance on breach notifications. Read the documents here.