The recent revised and adopted guidelines on personal data breach notification under the GDPR have been published. These guidelines set out examples of what a personal data breach is and the actions expected of data controllers and processors. This article explores the examples of a data breach and the expectations on schools. For more information on how we can support your organisation, see our DPO Essentials Service here.
For absolutely no charge, we are providing our resources, advice and the engine of 9ine to give your organisation the peace of mind that any GDPR related information request or breach, cyber security attack or incident, safeguarding or child protection concern will be expertly triaged.
The guidelines give the following examples of personal data breaches:
- Where the controller’s database has been lost or stolen
- Where personal data has been lost and there are no backups
- Where data has been encrypted by ransomware
- Where there has been significant disruption to IT services, such as a power failure or denial of service attack
- Where there is a lack of access to data that can have a significant impact on the rights and freedoms of natural persons. An example is a hospital, where in the event that medical data becomes unavailable, there could be a risk to the individual.
- Where there has been a loss of an unencrypted USB key with personal data stored
- Where the controller has inadvertently disclosed unauthorised personal data to a third party, including both paper-based and electronic forms
- Where the controller has identified possible unauthorised intrusion of its network.
- Where personal data of a large number of students are mistakenly sent to the wrong mailing list of 1000+ recipients
- Where a direct marketing email is sent to recipients in the ‘to’ or ‘cc’ fields
- Where paper documents with personal data have been lost or misplaced
Once the controller has become aware of a breach such as in the examples above, a risk assessment is required to determine the risk to the rights and freedoms of individuals. Notification to the supervisory authority is required unless a breach is unlikely to result in a risk to the individual.
Once you have been made aware of the potential breach, there is a time limit of up to 72 hours in which to determine the need for and if so, to notify the supervisory authority.
When a breach or potential breach has occurred, controllers should be following an incident response plan or governance framework to manage the breach evaluation. In managing a breach or potential breach, controllers are obliged to do the following:
- Undertake a short period of investigation to establish whether or not a breach has occurred, including implementing all appropriate technical protections and organisational measures to determine this
- Review the Data Protection Impact Assessment (DPIA) associated with the processing activity affected by the breach. Take account of the specific circumstances of the breach and re-evaluate the risk.
- Assess the likely risks to individuals to determine the requirement for notification, as well as the actions needed to address the breach
- Have in place a ‘responsible person’ or persons tasked with addressing the breach
- Act to contain and recover the breach
- Document the history of the breach as it develops
- Report the breach upwards to the appropriate level of management
Where a breach is determined to be ‘notifiable’ to the supervisory authority, notification should be made without undue delay and where feasible, no later than 72 hours.
To give your school, college, or university the confidence that any GDPR related information request or breach, cyber security attack or incident, safeguarding or child protection concern will be expertly triaged, get in touch using the link below.
Considerations of the Supervisory Authority in assessing the consequences of a breach
The guidance sets out that the following information should be provided to the supervisory authority when reporting a breach. At the minimum, it should:
- Describe the nature of the personal data breach, including where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of persona data records concerned
- Communicate the name and contact details of the Data Protection Officer or other contact point where more information can be obtained
- Describe the likely consequences of the personal data breach
- Describe the measures taken, or proposed to be taken by the controller to address the personal data breach, including where appropriate measures to mitigate its possible adverse effects
Not having all the information above should not be a barrier to reporting to the supervisory authority. The guidance states that effort should be focussed on addressing the effects of the breach, rather than providing precise information.
In some cases, there may be uncertainty around whether a breach has occurred or what the extent of that breach is. In the example of a lost encrypted USB drive, the guidance goes on to say:
“A controller notifies the supervisory authority within 72 hours of detecting a breach that it has lost a USB key containing a copy of the personal data of some its customers. The USB key is later found misfiled within the controller’s premises and recovered. The controller updates the supervisory authority and requests the notification be amended.”
There is a consistent message of ‘appropriate organisational and technical measures’ in all guidelines adopted by the Article 29 Working Party on the protections that organisations should have in place to limit the risk of a personal data breach. Where a breach is reported, this new guidance places the following responsibility on the supervisory authority:
“It should be ascertained whether all appropriate technological protections and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject”
What this guidance means for your school
To comply with the regulation, your school must:
- Map all data processing activities (analogue and digital) and assess the risk given the requirements of WP248 rev.01 Guidelines on DPIAs - our free GDPR Readiness Toolkit enables you do this
- Complete DPIAs where possible - our free GDPR Readiness Toolkit enables you do this
- Complete a data / IT systems assessment for compliance with Article 32 - our free GDPR Readiness Toolkit enables you do this
- Have assessed the IT (technical) risks of IT systems and services, and put into place proportionate organisational and technical measures. Our IT Systems Assessment v. NSCS 10-Steps and other cyber security penetration testing services enable you to do this.
- Have plans in place that leadership understand to recover and restore IT services if needed. Our IT Operations Improvement Team have the tools and resources to help you do this.
- The confidence that leadership understand how the IT systems are configured, managed and protected
- Nominate a Data Protection Officer or other ‘responsible’ person. Our DPO Essentials service reduces the burden of time needed to undertake these roles.
- Have in place policies, processes and procedures to manage information rights requests - our DPO Essentials service provides you with these
- Have in place policies, processes and procedures (incident management plan) to manage the breach evaluation and notification obligations. Our DPO Essentials service provides you with these.
- Provide the resources such as being able to call upon experts to mitigate the impact and manage the breach - our DPO Essentials service provides you with this
- Have in place a process for regular testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing. Our DPO Essentials service provides you with this.
- Have confidence that the most senior level of management (Leadership / Governors) have the evidence to show the supervisory authority that all appropriate technological and organisational measures were implemented to minimise the risk of a breach. Working with 9ine provides your senior managers with independent, objective, risk-based advice and guidance on compliance action and activity.
- Have confidence that when a breach has occurred, the most senior level of management (Leadership / Governors) have, within 72 hours, provided the resources to contain and recover the breach. Our DPO Essentials service provides you with this.
- Document all the above for evidence of compliance - our free GDPR Readiness Toolkit enables you do this
Where we can help:
We have the tools, expertise and support services to help you manage compliance. We work with schools within the UK and internationally, having significant and relevant experience to efficiently enable you to manage and implement your compliance obligations. For more information on how we can support your school, please get in touch.
If the GDPR is of concern to you, please do take advantage of our free advisory service providing independent and objective guidance to help schools with their IT audit and compliance obligations. We are offering this service until the end of August 2018. Click below to book a free consultation with one of our experts.
© Nine (9ine) Consulting Ltd. All rights reserved 2018. This article must not be quoted from, referred to, used by or distributed to any other party without the prior consent of Nine (9ine) Consulting Ltd who accept no liability of whatsoever nature for any use by any other party. In using or referring to this document, Nine (9ine) Consulting Ltd shall not be liable, whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation or otherwise for: loss of profits; or loss of business or; depletion of goodwill or similar losses; or loss of anticipated savings; or loss of goods; or loss of contract; or loss of use; or loss or corruption of data or information; or any special, indirect, consequential or pure economic loss, costs, damages, charges or expenses.")