Although it remains unclear whether the General Data Protection Regulation (GDPR) will directly apply in the UK in light of the country's vote to leave the EU, the UK watchdog has published a new piece of general guidance to help companies understand what their duties are under the new legislation.
In its overview of the GDPR, the ICO explained, among other things, what organisations should do to prepare for new data breach notification rules. Those rules require them to tell data protection authorities and the public about personal data breaches they experience in certain circumstances.
"You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data," the ICO said. "You should ensure that you have an internal breach reporting procedure is in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public."
"In light of the tight timescales for reporting a breach - it is important to have robust breach detection, investigation and internal reporting procedures in place," it said.
A personal data breach is defined under the Regulation as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
Under Article 33 of the Regulation data controllers are generally required to notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".
Where personal data processing has been outsourced, data processors would, "without undue delay after becoming aware of a personal data breach", have to inform the data controller of the incident. In practice, therefore, data processors would have to report every personal data breach that occurs on their watch to data controller and data controllers would then have to report breaches that are likely to 'result in a risk to the rights and freedoms of natural persons' to the authorities.
Information to be disclosed will include details of the nature of personal data breaches, including what categories of people the incident concerns, how many people are impacted and the type and approximate number of records exposed.
A higher threshold for notifying affected members of the public of data breaches will apply under the Regulation.
Data breaches must be "likely to result in a high risk to the rights and freedoms of natural persons" before notification would be required, but there are further conditions set out in the legislation to restrict the circumstances in which notification would need to be made.
If data controllers have applied "appropriate technical and organisational protection measures" to the personal data affected by a breach then they would not have to notify data subjects about those incidents. This includes cases, for example, where encryption has been applied to data to render it "unintelligible to any person who is not authorised to access it", according to the Regulation.
Alternatively, if data controllers take action after a breach to "ensure that the high risk to the rights and freedoms of data subjects … is no longer likely to materialise" then notification of those incidents to data subjects would not be mandatory.
When the threshold for notification to data subjects is triggered, notification must be made by data controllers without undue delay.
Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "In-house counsel will need to define what in practice in their organisation constitutes a personal data breach, in line with the GDPR definition, so that employees can be given training to recognise such breaches and to report them internally, and secondly, because in legal terms that will determine when the clock starts to tick for notification.. Lessons can be adapted from other fields, such as product recall, where clear and practical rules already exist for the steps that different parties must take in a product recall. Businesses could treat preparing for a cyber attack as they would for product recall or a health and safety issue."
"In many cases security vulnerabilities originate in a business' supply chain. Data controllers need to be cognisant of the implications of this. In particular, since prevention is always better than cure, and as the law already requires it, vetting sub-contractors before selecting them, followed by a robust contract, which under GDPR will require new content, and finally ongoing monitoring of adherence in the supply chain to agreed security measures are each critical steps to take," he said.
"'Processor' organisations must report breaches to controllers – in practice, establishing protocols between the parties for public announcements about a security breach will be important, since both parties, as well as potentially others too, may want or need to interact publicly with various stakeholders – customers, regulators, stock markets, for example. The parties will in many cases want to agree those protocols in a written agreement," he said.
"In practice, organisations in crisis need a simple and clear plan to identify whom to contact and how to keep communications flowing. In a severe crisis, email or telephone systems may not always be available – so knowing whom to contact and how to contact them is important to identify during a preparation exercise," Dautlich said.
Companies that fail to comply with the data breach notification rules could be fined up to €10 million or 2% of their global annual turnover, whichever is higher, under the Regulation.