THANK YOU FOR SUBSCRIBING
As we all know, the General Data Protection Regulation makes reporting personal data breaches to the Supervisory Authority compulsory in certain cases. A personal data breach is a breach of security that leads to the unlawful or accidental destruction, loss, alternation of, unauthorised access to or disclosure of personal data. Where this breach is likely to cause a risk to data subjects’ rights and freedom, the breach needs to be reported to the Supervisory Authority (The Information Commissioner’s Office in the UK). This means if the incident is likely to cause reputational damage, financial loss or damage, enable identity theft, or lead to discrimination for example, it needs to be reported. If the breach is “likely to result in a high risk” to “the rights and freedom” of data subjects, then all those affected need to be informed, although there are some circumstances where notifying all those affected will not be required. The reporting must be carried out as soon as possible and within 72 hours of becoming aware of the incident.
There is the possibility of hefty fines for breaches of GDPR, up to €20 m or four percent of worldwide turnover. Not only this, the publicity and poor PR than can accompany a breach can lead to reputational damage, which can be hard to recover from and have wide ranging negative consequences. This makes having an internal data breach reporting and investigation plan essential. Each organisation needs to keep comprehensive records of breaches, the risk assessments they have carried out of those breaches, and the mitigations undertaken to contain or neutralise the breach. Most breaches within an organisation are likely to be minor and not meet the threshold for reporting to the Supervisory Authority. Organisations still need to keep clear records to justify why a decision not to report was made.
All of this rests on your employees and contractors reporting breaches to you straight away. Also, having processes in place for this to be done it is essential to have a culture that encourages reporting. Where employees are anxious about reporting for fear of repercussions, breaches can get hidden. People may not admit to a breach, especially where it involved human error, if they think they will be disciplined. Internal league tables showing the number of breaches by team or department can create a culture where the number of breaches is key—the fewer reported internally the better and those teams with a high number of reports are seen as failing.
"Each organisation needs to keep comprehensive records of breaches, the risk assessments they have carried out of those breaches, and the mitigations undertaken to contain or neutralise the breach"
But is that really the case? Are those lower reporting areas really better at avoiding data breaches and so demonstrating higher compliance levels? Or are they merely better at hiding the errors and being less honest, hoping that their breaches will not be so serious they are found out?
It is important for organisation to look into the reasons behind low levels of breach reporting. As well as the potential difficulties failure to report internally can cause, given the duty to report and the possibility of reputational damage down the line, it is also bad business practice. Organisations can learn from low-level breaches and near misses. They can use those lessons to improve practices and processes to avoid a more serious breach occurring. It is often the case that a reportable breach doesn’t come out of the blue; there may have been numerous smaller non-reportable breaches of the same type before. An example would be when nonsensitive personal information is sent to the wrong postal address, the recipient realises they have received the letter in error and sends it back unopened. This is not a reportable breach, but it does give the organisation the opportunity to examine what went wrong. Was it human error in inputting the address? Is there a problem with the system not updating addresses promptly? or Is one part of the organisation being told of a new address and this not being shared where it is needed? Learning from the low-level breaches and near misses can help you find and fix the weaknesses in processes before a major issue occurs.
Having an internal culture of openness around breaches, where everyone is encouraged to report is essential. Whilst there is always the possibility of disciplinary action for breaches caused by egregious human error, staff should be reassured that generally self-reporting would be a mitigating factor for them and is to be encouraged. Staff should be encouraged to be open and honest, to work with the data protection and information security teams to mitigate breaches and to proactively suggest process improvements to prevent breaches. Senior management should be encouraged to view an increased level of breach reporting as a useful tool to look for trends and issues before they become major problems, and not view an increased number as a problem in itself.
There’s a role for the Data Protection Officer to play here—where the organisation has one in explaining why an increase in reports of breaches and near misses can be an opportunity for improvements rather than necessarily a cause for concern.