Personal data breaches can occur as a result of many scenarios—these include phishing and ransomware attacks, internal human error such as accidental transmissions of data, lost or stolen devices, as well as software or hardware malfunctions.
Failure to notify the authorities of a personal data breach on a timely basis can result in significant fines, up to €10,000,000 or 2 percent of the global turnover. We have seen a number of very significant fines being imposed on companies that were late in notifying serious data breaches.
This article aims to help you prevent such fines by setting out what constitutes a personal data breach, how you can become aware of one, when to notify the supervisory authority and the affected individuals, and how to assess the risks related to personal data breaches (so as to determine if a notification is required).
What is a personal data breach?
A “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data that are transmitted, stored or otherwise processed. In other words, a personal data breach is a security incident involving personal data where the controller is unable to ensure compliance with the GDPR’s key principles, as outlined in article 5 GDPR.
Personal data breaches can be categorized as follows:
- Confidentiality breach—there is an unauthorized or accidental disclosure of, or access to, personal data.
- Integrity breach—there is an unauthorized or accidental alteration of personal data.
- Availability breach—there is an accidental or unauthorized loss of access to, or destruction of, personal data.
Depending on the circumstances, a breach can concern the confidentiality, integrity and availability of personal data at the same time, as well as any combination of these.
In the event of a personal data breach, the GDPR requires a controller to notify the competent supervisory authority (or authorities) about the breach without undue delay, but no later than 72 hours after having become aware of it. Accordingly, it is paramount for a controller to understand at what point it can be considered to have become “aware.”
How does an organization become “aware” of a personal data breach?
A suspicion of a personal data breach can come from either internal or external sources. Internally, employees may encounter strange or unexpected emails, unusual password activities, suspicious pop-ups and malware detection. Externally, customer complaints and data-subject access requests can be signals of possible data breaches. For example, a customer might complain that they received a wrongly addressed email with the personal data of other customers. Or, as a result of a data-subject access request, an organization may find out that the database that houses its customers’ personal data has become inaccessible.
A vague suspicion of a personal data breach, without clear evidence, is not enough to consider that the controller is “aware”. The Working Party 29 (as endorsed by the European Data Protection Board) states in its Guidelines on personal data breach notification that a controller should be regarded as having become “aware” when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.
After first being informed of a potential personal data breach by an individual, a source, or the organization itself, the controller should start an initial investigation as soon as possible. Through this initial investigation, the controller should establish with a reasonable degree of certainty whether a breach has taken place. The controller can be considered as being “aware” from the moment the initial investigation results confirm that there is a reasonable degree of certainty that a personal data breach occurred.
For example, if our customer from the example above—who complained by email to the organization about accidentally receiving an extract from the customer database that includes personal data—includes the extract with the complaint, they have provided evidence of the unauthorized disclosure.
Another example would be if an organization has detected a possible network intrusion, which is checked and confirmed by its internal security team. In such a case, the controller has clear evidence of a personal data breach, and therefore, there is no doubt that the controller has become “aware.”
These examples clearly demonstrate the need for proper internal data breach notification procedures and data breach training for all staff handling personal data.
Once a controller can be considered “aware” of a personal data breach, a more detailed investigation and assessment should follow. In particular, it is essential to identify whether the data breach is likely to result in a risk to the rights and freedoms of individuals; if so, it should be reported to the supervisory authority.
When should you notify the supervisory authority of a breach?
The organization’s role under the GDPR determines whether it is obliged to report a personal data breach to the supervisory authority.
A controller is obliged to notify the competent supervisory authority of a personal data breach, unless it has been determined that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. As already noted, the notification should be filed without undue delay, but no later than 72 hours after the controller has become “aware” of the personal data breach. If the notification is given after the initial 72 hours, the controller should include the reasons for the delay. This obligation also applies to controllers that are not established in the European Economic Area, but whose processing of personal data is subject to the GDPR by virtue of article 3(2) GDPR.
A processor must notify the controller without undue delay when it becomes aware of a breach. The processor should not notify the supervisory authority unless instructed to do so by the controller, nor should it begin assessing the likelihood of risk arising from a breach before it has notified the controller. Such an assessment clearly falls under the purview of the controller. The controller is considered “aware” once the processor has informed the controller of the personal data breach and is further accountable for any (significant) delays between the moment of the data breach and the moment the processor informs the controller. The controller should have proper contractual arrangements with the processor on data breach notification and it should seek assurances that the processor is able to meet these notification obligations.
Joint controllers should clearly determine and agree in their joint controller arrangements which party will take the lead on and is responsible for compliance with the data breach notification obligation as described above.
In the event a notification is called for, it should at least include the following:
- A description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- The name and contact details of the data protection officer or other contact point where more information can be obtained;
- A description of the likely consequences of the personal data breach;
- A description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
A notification may be conducted in phases, if not all information is available within 72 hours of becoming aware of the breach. This is likely when a data breach is complex, such as a cyber-security incident where in-depth forensic investigations may be necessary to fully establish the nature, volume and types of personal data involved. In practice, a preliminary notification will be made to the competent supervisory authority, accompanied with the notice that the notification does not include all the required information and the missing information will be provided once it is available. Supervisory authorities may set a deadline for such follow-up notifications.
When should an organization notify individuals that their data has been breached?
In addition to notifying the competent supervisory authority, a controller may also be required to notify the individuals whose data has been compromised. It should do so if the personal data breach is likely to result in a high risk to their rights and freedoms. The aim of such notification to individuals, which must be made without undue delay, is to provide specific information about the steps they should take to protect themselves.
As an exception to the above rule, it is not necessary to notify individuals, even if the personal data breach would likely result in a high risk to their rights and freedoms, in the following circumstances:
- Appropriate technical and organizational measures were implemented and applied to the personal data affected by the personal data breach (e.g.encryption).
- Remedial measures were taken that ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.
- Notifying the individuals would involve disproportionate effort. In such case, a public communication or similar measures, whereby the data subjects are informed in an equally effective manner, can be used instead.
As always, the obligation to notify the supervisory authority and the affected individual(s) is based on an assessment of the risks in a specific situation.
There may also be sectoral or country-specific requirements to report a personal data breach, or exceptions to such a requirement. For example, in the Netherlands, certain companies in the financial sector, such as banks and insurance companies, are exempt from this requirement.
How is the risk of a personal data breach assessed?
To support controllers who must assess the risk of a personal data breach, the European Union Agency for Network and Information Security (ENISA), together with the German and Greek data protection supervisory authorities, have developed a methodology to assess the “severity” of a data breaches. “Severity” means the estimation of the magnitude of potential impact on the individuals derived from the data breach. This severity can be calculated by using the following: DPC x EI + CB, where DPC is the data processing context, EI is the ease of identification and CB is the circumstances of the breach.
These three elements are explained in depth below:
- Data Processing Context (DPC): This is the core of the methodology and evaluates the criticality of a given data set in a specific processing context. The DPC can be determined by defining and classifying the types of personal data involved in the breach into four categories, which have a different score: common (with a score of 1), behavioral (2), financial (3) and special category data (4). In addition, contextual factors— (such as data volume, special characteristics of the controllers or the individuals, invalidity/inaccuracy of data, public availability (before the breach), and the nature of data—should be assessed. If such factors exist, they may increase or decrease the preliminary score. The methodology includes a list that sets out, per category, the preliminary score and the increase/decrease score per contextual factor.
For example, imagine that a data breach occurs at a bank, and the affected dataset includes clients’ account balances from the last year, showing all transactions and related details. In this case, as it concerns “financial data” the methodology assigns a preliminary score of 3. Contextual factors such as the volume of the breach (i.e. several clients’ account balances over the last year) and that the nature of personal data can lead to detailed profiling, result in a score increase by 1 (i.e. the total score is 4). If the affected personal data fits into more than one category, these steps have to be followed for each category applicable. The value used for the overall calculation of the severity, is the highest of the DPC scores.
- Ease of Identification (EI): The EI is a correcting factor of the DPC and determines how easily the identity of the individuals can be directly or indirectly deduced from the data involved in the breach. The EI is defined in four levels: negligible (0.25), limited (0.5), significant (0.75) and maximum (1). The methodology sets out that certain identifiers (i.e. full name, passport number, home address, photo or email address) may lead to different EI scores according to the specific breach. For example, when identification is performed using only the individual’s full name, the EI is identified as “negligible” if, in the given country, many people share that same full name. The level of EI is already higher (“limited”) if only a few people in the country’s population share the same full name, and even higher (“significant”) if in a small city’s population only a few or no people share that same full name. The EI is at the highest level (“maximum”) if in addition to a full name, other identifiers are part of the breach (e.g. date of birth).
- Circumstances of breach (CB): The CB is complementary to the DPC and EI and addresses four specific circumstances of the breach: the loss of confidentiality, integrity, availability and malicious intent.
- Loss of confidentiality occurs when the information is accessed by parties who are not authorized or do not have a legitimate purpose to access it. The scope of such loss affects the CB score. As an example, if personal data is exposed to confidentiality risks without evidence that illegal processing has occurred (e.g., a lost laptop during transit or equipment has been disposed without destruction of the personal data), the CB score will be 0. The CB score increases by 0.25 if personal data is disposed to a number of known recipients (e.g., a wrongly addressed email was sent to a number of known recipients or unauthorized customers could access other customers’ accounts in an online service). If personal data is disposed to an unknown number of recipients (e.g., personal data is published on a publicly available social media platform or a wrongly configured website makes internal users’ personal data publicly accessible on the Internet), the CB sore will be 0.5.
- Loss of integrity occurs when the original information is altered and substitution of data can be prejudicial for the individual. The most severe situation would be if there are serious possibilities that the altered data have been used in a way that could harm the individual.
- Loss of availability occurs when the original personal data cannot be accessed (temporarily or permanently).
- The circumstance of malicious intent examines whether the breach was due to an error or mistake, either human or technical, or if it was caused by an intentional action of malicious intent (e.g. theft, hacking with the aim to harm individuals or unlawfully selling databases that include personal data).
The following data breach situation, combining all mentioned examples, illustrates the methodology: A personal data breach occurs at a bank due to an employee who has wrongly addressed an email with an attachment containing clients’ names (including a unique name), dates of birth, back account numbers and account balances of the previous year to a number of the bank’s clients.
For the purposes of determining the DPC, a name qualifies as “common data” (preliminary score 1) and the account balance extracts qualify as “financial data” (preliminary score 3). The financial data in combination with the contextual factors as described in this example above, will result in a total score of 4. As the total value of the DPC calculation for financial data, in this case, is more than for common data, the DPC value for financial data is used for the overall calculation of the severity.
The EI is affected, as one of the names in the attachment is unique and that person’s bank account number is included in the personal data breach. The EI level is identified as “maximum”, as in addition to the full name, another identifier (the date of birth) is part of the data breach. Therefore, the EI score will be 1 in this case.
The CB value is 0.25, as in this illustration personal data is disposed to a number of known recipients, namely to a number of the bank’s other clients.
Building on the above, in this illustrative case, the “severity” score of this personal data breach is 4.25 (DPC (4) x EI (1) + CB (0.25)).
ENISA has published the following table that sets out the four severity levels: low, medium, high and very high, accompanied with an explanation of the specific level.
By using this methodology, controllers are able to determine whether or not they are obliged to notify the competent supervisory authority (i.e. in cases where a personal data breach is likely to result in a risk to the rights and freedoms of individuals) and individuals (i.e. in high-risk or very high-risk cases).
With regard to the illustrative personal data breach, the severity score is 4.25, which means that the personal data breach is likely to result in a very high risk to the rights and freedoms of individuals. In this case, the controller has the obligation to notify the competent supervisory authority and the individuals, as described above (unless exempt under local or sectoral rules).
The ENISA methodology provides controllers with a toolkit to objectify the risk assessment. Controllers have no reason to panic over personal data breach occurs; the methodology allows for a calm, reasoned assessment of the risk.
If you require immediate assistance regarding a data breach, contact our team at DataIncidentResponse@dentons.com and you will be directed to an individual that can assist you immediately. Click here to find out more.