Introduction
As per the definition of EU GDPR Article 4, clause Art. 4 GDPR – Definitions - General Data Protection Regulation (GDPR) (gdpr-info.eu) a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The term “Unauthorized access” used in the definition of “data breach” has a large significance and includes access to an electronic information system and includes, but is not limited to, viewing, obtaining, or using data containing personal information in any form.
Under California Consumer Privacy Act, the data breach is defined as unauthorized acquisition of computerised data that compromises the security, confidentiality, or integrity of personal information, excluding certain good faith acquisitions.
The NIST, USA(The National Institute of Standards and Technology) ) Glossary | NIST defines data breach as an incident that involves sensitive, protected, or confidential information being copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Exposed information may include credit card numbers, personal health information, customer data, company trade secrets or matters of national security.
In all the above definition the term that is common is “unauthorized access” or data that is illegally obtained or stolen and thus exposing the personal information or the sensitive personal information of the person.
Different Categories of personal data breaches
As per EU GDPR, the personal data breaches can be categorised into the following:
- Confidentiality Breach where there is an unauthorized or accidental disclosure of or access to personal data. This type of breach is very common in healthcare industry.
- Integrity Breach is where there is an unauthorised or accidental alteration of personal data.
- Availability Breach where there is an accidental or loss of access to destruction of personal data. It happens when a cyberattack is executed to steal the personal data of the user in order to misuse or abuse the credentials. The objective of the cyber attacker or hacker is to steal the personal information in order to gain access to banking details or health data of the user to manipulate them to gain financial resources.
As per UK ICO, Personal data breaches | ICO, the following are the examples of different types of personal data breaches:
- Access by an unauthorized 3rd party
- Deliberate or accidental action or inaction by a controller or a processor
- Sending personal data to an incorrect recipient
- Computing devices containing personal data being lost or stolen
- Alteration of data without permission
- Loss of availability of personal data
GDPR rules in case of a data breach
The EU GDPR rules have been designed and enacted to secure and minimize the damage to the personal data of the data subjects. However even with the best of security protocols, equipment, best practices etc, many a times the data theft occurs with the help of cyberattacks or motivated attacks from the hackers.
As per Article 33, EU GDPR, when the data breach occurs, the data processor must inform the data controller without delay. The data controller then must report without undue delay to the Supervisory Authority or the Data Protection Authorities within 72 hours of becoming aware.
However, where a breach is likely to result in a high risk to the affected individual, the controller must inform those individuals without delay.
Some of the key points that are of utmost important are the following:
- All breach notifications must be notified using the “Breach Notification Form” as provided by the Supervisory Authority or the Data Protection Authority.
- The Breach Notification must include the nature of the breach.
- The Breach Notification must include the categories of personal data, the number of records, and the categories and the number of data subjects affected.
- The Breach Notification should also mention the likely consequences of the breach.
- The name and contact details of the Data Protection Officer or any other point of contact regarding the breach or even a Grievance Officer.
- The Breach Notification will also mention the additional measures taken to mitigate the effects of the data breach.
According to the Article 34, EU GDPR, in cases where a data breach occurs and is” likely to cause a high risk to the rights and freedoms of natural person” then the data controller as well as reporting it to the Supervisory Authority must also inform immediately the data subjects whose personal data has been affected.
What should a communication to a data subject contain
The communication to the data subject should describe in clear and plain language the nature of the personal data breach and should include the following information as required by the EU GDPR Article 34(2):
- The name and contact details of the data protection officer or any other person who can be contacted in case of data breach.
- A description of the likely consequences of the personal data breach
- A description of the measures taken or proposed to be taken by the data controller to address the personal data breach, including where appropriate, measures to mitigate its possible adverse effects.
An excellent resource and guide is available at Irish Data Protection Controller and can be download from Data Breach Notification_Practical Guidance_Oct19.pdf (dataprotection.ie)
What is data breach register and when it is necessary
If there is a suspected leak of information or the breach is unlikely to happen, then there is no need to report it to the Supervisory Authority. However, it must be documented in the Breach Register.
The Supervisory Authority or the Data Protection Authority may ask the data controller to provide with a Breach Register report when performing other routine checks in order to verify the compliance to the GDPR.
According to the EU GDPR Article 33(5), “The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the Supervisory Authority to verify compliance with this Article.”
Should the Data Processor report a personal data breach
If the organisation is acting as a Data Processor and it suffers a data breach, according to EU GDPR Article 33(2), the Data Processor must inform without undue delay to the Data Controller about the data breach. The data controller can define special conditions of reporting in the data processing agreement signed with the data processor.
The requirements for reporting personal data breach should be detailed and must be an integral part of the Data Processing Agreement between the data controller and the data processor.
Data breach regulations across the world
All 50 USA states have passed breached notification laws that include Washington DC, California etc. It requires states to notify the state residents of a security breach involving more sensitive categories of information such as Social Security Numbers, and other Government identifiers, health or medical information, credit card numbers, financial account number including banking details, insurance ID, Tax ID number, date of birth, on-line account credentials, biometrics as well as digital signatures.
In Australia, the new data breach law was notified by enacting Australia Privacy Amendment Act 2017, on 22nd February, 2018. They are covered under Notifiable Data Breaches Scheme. Under the new scheme entities with existing personal information security obligations under the Australian Privacy Act are required to notify the office of Australian Information Commissioner (OAIC) and affected individuals of all eligible data breaches this key. The scheme is in line with breach notification laws in other jurisdictions and represent a significant boost to privacy governance in Australia particularly in transparency and accountability.
Source: Data breach preparation and response - Home (oaic.gov.au)
Conclusion
The data breach notification is an integral part of reporting for Data Protection Impact Assessment as guided in EU GDPR. The same is applicable under UK GDPR and is mandated by the ICO, UK. The data breach notifications are very important in order to ensure that the personal data of the natural living person is given additional security measures so that they can be safeguarded from misuse or abuse that can result in financial losses and thus inflicting huge damage to the individual.
Source: GDPR General Data Protection Regulation - DATA SECURE
Source: UK Data Protection Act 2018 - DATA SECURE
Source: Breach Notification | Data Protection Commissioner
We at Data Secure (DATA SECURE - Privacy Automation Solution) can help you to understand Privacy and Trust while dealing with personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.
We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to India PDPB 2019. For more details, kindly visit DPO India – Your outsourced DPO service (dpo-india.com).
For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or dpo@dpo-india.com
For downloading various Global Privacy Laws kindly visit the Resources page in DATA SECURE - Privacy Automation Solution
For solutions on Schrems II or Lawful Borderless Data Transfer solutions, kindly visit our website www.borderless-data.com.
Kindly write to us at info@borderless-data.com for six steps solution for Lawful Borderless Data Transfer Solution