.png)
Alex Franch
As an SME, your organisation must understand what a data breach is, how to identify one and when it should be notified to the Information Commissioner's Office (ICO). The below blog post outlines the basics of data breaches with examples to help you contextualise this for your organisation.
Contents
- What is a data breach?
- What is personal data?
- Examples of data breaches
- When should data breaches be notified?
- How to prevent a data breach?
What is a data breach?
Data breaches are defined by the GDPR as:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4(12) GDPR).
Article 29 Working Party Guidelines (WP29) further clarifies the above to mean:
- the destruction of data as data no longer existing or existing in a form that is useless to the controller;
- the loss of data as data that exists but where the data controller no longer has access to it;
- the alteration of data as data being made incomplete in some way such as corrupted data or where data is altered without the consent of the data subject; and
- the unauthorised disclosure of, or access to data, as the sharing, storing or processing of personal data with unintended recipients.
What about the temporary loss of data?
The WP29 guidance advises that temporary loss of data can be a data breach if the lack of access impacts the rights and freedoms of individuals (example of this below). If the temporary loss is more serious then the breach may even need to be notified to the ICO. In any case, temporary data loss should be documented as with permanent losses of data to show your organisation’s accountability.
What is personal data?
Personal data is defined under Article 4 (1) GDPR as:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
It can be both objective, such as the name and email of a person or subjective, such as thoughts and opinions on them, for example, when organisations make assessments on individuals to provide them access to products like banking or insurance. Subjective data also includes data of an individual’s viewpoints and their interactions within society like their behaviours and actions. WP29 also draws our attention to how data need not be accurate or correct to be considered personal data; this is why the GDPR have separate provisions for correcting wrongly held information.
Personal data also has to relate to natural persons. A person is a natural person from birth until their death, regardless of their nationality or residency as the right to privacy is considered a universal right. Whilst the rules on data related to the deceased are slightly different, WP29 suggests that it may be easier to treat them the same way as that of natural persons because the data of the deceased may indirectly contain data to the living. For example, sensitive data on a deceased person with haemophilia may indirectly identify their offspring with the same condition.
What is not personal data?
Data relating to organisations are not considered personal data. Other information not considered personal data include:
- Company-wide emails such as info@organisation.com
- Anonymised data
- Data that cannot identify individuals*
However, this does not mean that national data laws cannot apply which deems certain data as personal data. Other legal regimes unrelated to data regulations may also apply such as criminal or intellectual property law. Your organisation may need to assess this on a case by case basis.
Examples of data breaches
- Sharing personal data of clients on social media platforms without their consent
- Sending an email to the wrong person containing a client’s full name and address which may have negative consequences for the client
- Exposure of personal data to unintended audiences
- Loss of data where the data has been deleted accidentally or by unauthorised third parties, or the decryption key has been lost in the case of encrypted data
- Loss of data due to the loss of hardware such as USB sticks and written notes
- The permanent loss of personal data that did not have backup such as handwritten notes which are the only available records - this is also known as an availability breach
- Temporary loss of personal data which would have been crucial at the moment it was required, such as the temporary loss of hospital records that led to the cancellation of an appointment or surgery
- Third party break-ins to steal files containing personal data of employees and clients
- Altering data without the consent of the data subject where there are no backups
- Cyber attacks
See a detailed analysis of the impact of leaked data for this one hotel reservation platform where the credit card details of over 100,000 customers were exposed here.
When should the ICO be notified?
If you experience a personal data breach you need to consider whether this poses a risk to people and the likelihood and severity of the risk to people’s rights and freedoms, following the breach. After this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it but you must justify this decision and document it.
If you are reporting a breach, it should be reported to the ICO without undue delay and within the first 72 hours of the breach, starting from when you became aware of it. A failure to notify the ICO of a relevant data breach may lead to a fine of up to EUR 10m or 2% of your annual global turnover, whichever is higher.
Click here for an online assessment of whether you should report to the ICO.
You should also assess the impact on individuals as organisations should report a data breach to data subjects without undue delay if there is ‘a high risk to the rights and freedoms of natural persons’, for example, if the data breach infringes on their safety in any way. However, the threshold for reporting to data subjects is a higher bar than reporting to the ICO so it is likely that you would need to report to the ICO first, in any case. In other instances, reporting a data breach to data subjects too often can sometimes cause fatigue so that a serious one is not taken with the gravity it deserves.
For information on how to notify a data breach, please see our future post on notifications.
How to prevent a data breach?
Conducting risk assessments such as a Data Protection Risk Assessment (DPIA) and recording this can help you minimise data breaches. Risk assessments can help you identify how old your software is, where vulnerabilities may lie and the level of training your staff have received for you to manage the overall likelihood of a data breach within your organisation. The Privasee dashboard is a quick and simple way for your organisation to keep on top of these components and helps you coordinate the intersection between multiple risk conditions. With features that help you record the time and date of DPIAs and the person responsible for conducting them can help you better manage your overall data risks with increased oversight. Preventing data breaches need not be costly nor a headache with the right tools.
*https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
Disclaimer
This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by publicly available sources such as the ICO.
Sources and further resources
European Commission - What is Personal Data?
Article 29 Working Party Opinion 4/2007 on the concept of personal data
Article 29 Working Party Guidelines on Personal data breach notification under Regulation 2016/679
.png)
%20-%20what%20is%20it%2C%20explained..png)
.png)
FAQ
Frequently asked questions
Do I need to connect all my tools and third parties?
We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools. There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.
What is the scope of my privacy policy?
Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!
Do I need to replace my current policy for the privacy portal?
We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.
Do I need help filling out my details?
Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.
Why can’t I just use a template and add it to my website myself?
A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.
What if you don’t have the tools and third parties that I have?
We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.
Which plan should I choose?
Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.
Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.
Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.
Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.
Feel free to get in touch to discuss our GDPR Compliance Software solution.
How easy is it to set up?
Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!
What size companies is Privasee aimed at?
Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.
I already have a privacy policy, do I need Privasee?
You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.