The recent revised and adopted guidelines on Personal data breach notification under the GDPR have been published. These guidelines set out examples of what a personal data breach is and the actions that are expected of data controllers and processors. This article explores the examples of a data breach and the expectations on schools.
The guidelines give the following examples of personal data breaches:
- Where the controller’s database has been lost or stolen.
- Where personal data has been lost and there are no backups.
- Where data has been encrypted by ransomware.
- Where there has been significant disruption to IT services, such as a power failure or denial of service attack.
- Where there is a lack of access to data that can have a significant impact on the rights of freedoms of natural persons. An example is a hospital, where in the event that medical data becomes unavailable, there could be a risk to the individual.
- Where there has been a loss of an unencrypted USB key with personal data stored.
- Where the controller has inadvertently disclosed unauthorised personal data to a third party, including across both paper-based and electronic forms.
- Where the controller has identified possible unauthorised intrusion into its network.
- Where personal data of a large number of students are mistakenly sent to the wrong mailing list of 1000+ recipients.
- Where a direct marketing email is sent to recipients in the ‘to’ or ‘cc’ fields,
- Where paper documents with personal data have been lost or mislaid.
Once the controller has become aware of a breach such as in the examples above, a risk assessment is required to determine the risk to the rights and freedoms of individuals. Notification to the supervisory authority is required unless a breach is unlikely to result in a risk to the individual.
Once you have been made aware of the potential breach, there is a time limit of up to 72 hours in which to determine the need for and if so, to notify the supervisory authority.
When a breach or potential breach has occured, controllers should be following an incident response plan or governance framework to manage the breach evaluation. In managing a breach or potential breach, controllers are obliged to do the following:
- Undertake a short period of investigation to establish whether or not a breach has occured. Including implementing all appropriate technical protections and organisational measures to establish to determine this.
- Review the Data Protection Impact Assessment (DPIA) associated with the processing activity affected by the breach. Take account of the specific circumstances of the breach and re-evaluate the risk.
- Assess the likely risks to individuals in order to determine the requirement for notification, as well as the actions needed to address the breach.
- Have in place a ‘responsible person’ or persons tasked with addressing the breach.
- Act to contain and recover the breach.
- Document the history of the breach as it develops.
- Report the beach upwards to the appropriate level of management.
Where a breach is determined to be ‘notifiable’ to the supervisory authority, notification should be made without undue delay, and where feasible, no later than 72 hours.
Considerations of the Supervisory Authority in assessing the consequences of a breach
The guidance sets out the following information that should be provided to the supervisory authority when reporting a breach. At the minimum it should:
- Describe the nature of the personal data breach, including where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of persona data records concerned.
- Communicate the name and contact details of the Data Protection Officer, or other contact point where more information can be obtained.
- Describe the likely consequences of the personal data breach.
- Describe the measures taken, or proposed to be taken, by the controller to address the personal data breach, including where appropriate, measures to mitigate its possible adverse effects.
Not having all the information above should not be a barrier to reporting to the supervisory authority. The guidance states that effort should be focussed on addressing the effects of the breach, rather than providing precise information.
In some cases, there may be uncertainty whether a breach has occured or what the extent of that breach is. In the example of a lost encrypted USB drive, the guidance goes on to say:
“A controller notifies the supervisory authority within 72 hours of detecting a breach that it has lost a USB key containing a copy of the personal data of some its customers. The USB key is later found misfiled within the controller’s premises and recovered. The controller updates the supervisory authority and requests the notification be amended.”
There is a consistent message of ‘appropriate organisational and technical measures’ in all guidelines adopted by the Article 29 Working Party on the protections that organisations should have in place to limit the risk of a personal data breach. Where a breach is reported, this new guidance places the following responsibility on the supervisory authority:
“It should be ascertained whether all appropriate technological protections and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject”
What this guidance means for your school
To comply with the regulation, your school needs to:
- Map all data processing activities (analogue and digital) and assess the risk given the requirements of WP248 rev.01 Guidelines on DPIAs - our free GDPR Readiness Toolkit enables you do this.
- Complete DPIAs where possible - our free GDPR Readiness Toolkit enables you do this.
- Complete a data / IT systems assessment for compliance with Article 32 - our free GDPR Readiness Toolkit enables you do this.
- Have assessed the IT (technical) risks of IT systems and services, and put in place proportionate organisational and technical measures - our IT Systems Assessment v. NSCS 10-Steps and other cyber security penetration testing services enable you to do this.
- Have plans in place that leadership understand to recover and restore IT services if needed - our IT Operations Improvement Team have the tools and resources to help you do this.
- The confidence that leadership understand how the IT systems are configured, managed and protected.
- Nominate a Data Protection Officer or other ‘responsible’ person - our DPO Essentials service reduces the burden of time needed to undertake these roles.
- Have in place policies, processes and procedures to manage information rights requests - our DPO Essentials service provides you with these.
- Have in place policies, processes and procedures (incident management plan) to manage the breach evaluation and notification obligations - our DPO Essentials service provides you with these.
- To provide the resources such as being able to call upon experts to mitigate the impact and manage the breach - our DPO Essentials service provides you with this.
- Have in place a process for regular testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing - our DPO Essentials service provides you with this.
- Have the confidence that the most senior level of management (Leadership / Governors), have the evidence to show the supervisory authority that all appropriate technological and organisational measures were implemented to minimise the risk of a breach - working with 9ine provides your senior managers with independent, objective, risk based advice and guidance on compliance action and activity
- Have the confidence that when a breach has occurred, the most senior level of management (Leadership / Governors) have, within 72 hours, provided the resources to contain and recover the breach - our DPO Essentials service provides you with this.
- Document all the above for evidence of compliance - our free GDPR Readiness Toolkit enables you do this.
Where we can help:
We have the tools, expertise and support services to help you manage compliance. We work with schools within the UK and Internationally, having significant and relevant experience to efficiently enable you to manage and implement your compliance obligations. For more information on how we can support your school, get in touch.
For more information on DPO Essentials:
© Nine (9ine) Consulting Ltd. All rights reserved 2018. This article must not be quoted from, referred to, used by or distributed to any other party without the prior consent of Nine (9ine) Consulting Ltd who accept no liability of whatsoever nature for any use by any other party. In using or referring to this document, Nine (9ine) Consulting Ltd shall not be liable, whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation or otherwise for: loss of profits; or loss of business or; depletion of goodwill or similar losses; or loss of anticipated savings; or loss of goods; or loss of contract; or loss of use; or loss or corruption of data or information; or any special, indirect, consequential or pure economic loss, costs, damages, charges or expenses.")