A data breach can have a significant impact on an organisation, from an operational, financial and reputational perspective.
A personal data breach is defined under the General Data Protection Regulation ((EU) 2016/679) (GDPR) as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
In 2020 there were significant fines imposed on data controllers by the Data Protection Commission (DPC) for personal data breaches ranging from €75,000 in respect of breaches by the public body Tusla in May 2020 to the ground-breaking €450,000 in respect of a breach by Twitter.
The GDPR/Data Protection Act 1988 to 2018 specifies in what circumstances and how a data breach must be notified to the Data Protection Commissioner (DPC) and to data subjects.
Not all breaches must be notified to the DPC.
Data Controllers must notify any data breach to the DPC, unless they can demonstrate it is unlikely to result in a risk to data subjects and must notify data subjects, where the breach is likely to result in a high risk to data subjects.
That assessment is not always easy.
On the 25th of February 2021, the DPC published its annual report for 2020.
The report notes that of 10,151 data breaches notified to the DPC in 2020 only 65% comprised valid breach notifications.
The DPC has opined that many data controllers are erring on the side of caution in reporting all data breaches to the DPC and to data subjects, even where not obliged to do so in an attempt to avoid fines. This is causing an excess of processing of data breaches within the DPC’s office and also unnecessary worry amongst data subjects who need not have been notified in many cases.
There must be an appropriate risk analysis carried out as over–notification can attract unnecessary and unwanted attention and/or litigation.
In January 2021 The European Data Protection Board adopted new guidelines on data breach notification, which were subject to public consultation (which closed on 2 March 2021). The guidelines will complement the former working party guidelines on data breach notification, Guidelines WP250.
The new Guidelines, which can be accessed here: EDPB Guidelines – Reporting of Data Breaches, set out the most common data breach experiences that supervisory authorities in EU countries have encountered over the last few years.
The Guidelines contain a number of fictitious case studies that can be referred to when a data controller experiences a data breach and requires guidance on how to react to that breach.
Each case study sets out when to consider notifying data subjects and/or supervisory authorities of a breach as well as suggested mitigation steps to take to manage that breach and best practices to adopt after a data breach.
The case studies in the Guidelines range from an example of a high-risk breach where there was a ransomware attack on the information system in a hospital to a low-risk breach where an email containing some customer personal data in an insurance company was sent to the incorrect recipients.
In the hospital example the information system was exposed to a ransomware attack. Restoration of the data took 2 days and led to major delays in treating patients with surgery’s cancelled or postponed. This was a high-risk example as the severity of consequences for the data subjects was very high.
The low-risk example deals with accidental transmission of an email within an insurance company. In this case, the insurance agent was bound by professional secrecy and was the sole recipient of the email. The information in the email contained contact data of 24 customers but no special categories of personal data. This was a case of unintentional human error that did not require reporting and the only steps to be taken were to raise awareness of employees to double check email recipients before pressing send.
An assessment of a data breach should consider the likelihood of risks taking place and the severity of such risks to be categorised as no risk/ risk/ high risk in accordance with the criteria set out in the Guidelines.
Once the Guidelines are finalised, data controllers should consider updating their Data Breach Protocols in line with the Guidelines.
If you need assistance with the assessment of your reporting obligations in the event of a data breach, please contact Sarah Coughlan or one of the team below.
Sarah Coughlan Judith Curtin Conor Lupton Fiona O’Connell Elaine O’Flynn
Senior Associate Partner Partner Partner Associate