How to report a data breach under GDPR

The General Data Protection Regulation (GDPR) is a broad set of regulations that dictate how a company handles the personal data of citizens within the European Union. Articles 33 and 34 of the GDPR outlines the requirements to notify both a supervisory authority and affected data subjects in the event of a data breach.

While the details of what an organization needs to report in the event of a breach is defined within the legislation, when to report a data breach and which authority you should report the incident to are not as clear. Do you know when your organization should report a data breach, what you need to report, and where to report it to stay GDPR compliant?

When to report a data breach under GDPR

According to the GDPR legislation, an organization must report a data breach to a data protection authority (DPA), also known as a supervisory authority (SA), if there an incident “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data” that leads to a potential risk to people’s rights and freedoms. The European Data Protection Supervisor (EUDPS) advice notes that while not every information security incident is a personal data breach, every personal data breach is an information security incident.

If the breach could result in “loss of control over their personal data or limitation of rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned,” as listed in Recital 85 of GDPR, a company is required to report the incident.

Events listed by the EDPS that could count include:

• A customer database that has been lost or stolen (including lost on removable storage such as USB sticks)
• The only copy of a set of personal data has been encrypted by ransomware or has been encrypted by the controller using a key that is no longer in its possession
• Data is deleted either accidentally or by an unauthorized person
• A distributed denial of service (DDoS) attack renders personal data temporarily unavailable if access to that data is critical — for example, in a hospital.

Failure to notify a data protection authority of a breach can result of a fine of €10 million ($11.3 million) or 2 percent of a company’s global turnover.

An example where a company would not be required to inform a DPA listed by the EDPS would be “a brief power outage lasting several minutes at a controller’s call centre, meaning customers are unable to call the controller and access their records.” If a company decides that a breach does not fall under the requirements to notify a DPA of the breach, it is still required to inform its data protection officer (DPO) and formally document the breach.

The UK ICO provides a self-assessment service to gauge whether a company needs to report an incident.

Where to report a breach under GDPR

Once an organization has decided that it is required to report a breach, it should contact the relevant DPA. Which DPA an organization should report a breach to depends on the organization: if a company only operates in one country or all data collection, processing and decision-making around that data is done locally, then the local DPA is the only one you need to inform.

If data is traveling across borders, the DPA of the country in which decisions around processing that data are made should be informed (known as a leading supervisory authority, or LSA). For example, if an organization’s European headquarters is in London but an incident occurs in Germany where the data is processed, the breach should be reported to the UK ICO, as that’s where decisions around the data are made. However, if decision-making about data is split among different locations — say London for employee data and France for customer data — then the UK ICO would be the LSA for incidents around employee data and the French CNIL would be the LSA for those involving employee information.

If a company has no official established presence within in the EU but still suffers an incident involving EU citizen data, it must, according to EU advice, “deal with local supervisory authorities in every Member State they are active in.” The International Association of Privacy Professionals (IAPP) provides a list of all the EU DPAs and includes links to relevant forms or contact details for each.

Organizations that have suffered an incident are required to notify a DPA within 72 hours of becoming aware of the breach. There is the caveat of “where feasible” in the wording, but companies will be required to provide reasoning for the delay. If an organization isn’t able to provide all the required details immediately, they can inform the DPA in stages and provide more details to the authority as they become known.

What to report under the GDPR

Organizations reporting an incident will need to answer a series of questions about the breach including:

• When the breach happened
• When and how it was discovered
• Categories of personal data included in the breach
• Size of the breach both in terms of records lost and people affected
• Possible impact on data subjects as a result of the breach
• Impact on the organization’s ability to provide services to users
• Recovery time
• Whether affected citizens have been informed
• Actions the company is taking or will take to remediate and prevent such an incident in the future.

Most DPAs have breach notification forms on their sites that provide a template on how to report an incident.

Companies must also inform those affected by the breach. If there is a “high risk” of affecting individuals’ rights and freedoms, the EDPS notes organizations must inform those individuals “without undue delay.” When informing people affected by an incident, organizations are required to “describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects,” according to the EDPS.

Depending on your industry, reporting an incident under the GDPR may well mean you are required to report the incident under other data protection regulations such as HIPAA, PIPEDA or eIDAS. The US National Conference of State Legislatures (NCSL) provides a state-by-state list of breach notification legislation.

Breach notifications are challenging

A Freedom of Information Act request by Redscan found that prior to GDPR, companies took an average of 21 days to report a breach to the UK ICO, with one company taking 142 days. Ninety-three percent did not specify the impact of the breach or did not know the impact at the time it was reported.

A report released by the EDPS in February 2019 showed it had received a total of 64,600 breach notifications since GDPR came into effect in May 2018. An average of 250 self-reported data breaches between June and October 2017 were submitted to the ICO, according to numbers shown to CSO. The equivalent months of 2018 after the GDPR came into effect saw an average of 1,400 per month.

However, it seems that GDPR’s breach notifications are still daunting for companies. an Experian and Ponemon report into data breach resolution found that just over half of organizations believe the effectiveness of their data breach response plans is “very high,” yet less than 30 percent of companies surveyed said they had a high ability to comply with the GDPR’s data breach notification rules.

“One of the easiest things is notifying the DPA within 72 hours,” says Michael Bruemmer, vice president of Experian’s Data Breach Resolution group. “I think [the lack of confidence in GDPR-compliant notification] is more lack of awareness than lack of understanding. It doesn’t say you have to have all your forensics done. It doesn’t say you have to notify consumers at that point in time. It doesn’t say that you have to have absolutely everything, ‘T’s crossed and ‘I’s dotted.  It just means you need to make sure that you are announcing ‘We think we’ve had a breach; we’re at this stage in our process; we’re going to conclude it by we think this time; and if it is a breach we will notify.’”

In the face of unsurety, many companies are taking a “report everything” approach to complying with the notification requirements. Speaking at the CBI Cyber Security: Business Insight conference in September 2018, the UK’s deputy information commissioner James Dipple-Johnstone highlighted how the ICO is facing an issue of “over-reporting” by companies: “We have been receiving around 500 calls a week to our breach reporting line since May 25,” he said, “and roughly a third of these are from organizations who, after a discussion with our officers, decide that their breach doesn’t meet our reporting threshold.”

Prepare for those 72 hours

The best way to ensure compliance with data breach notification requirements, whether under GDPR or any other regulation, is to plan ahead. Understand what you need to report to whom, work those requirements into any incident response plans you have, and test them regularly.

“It’s not good enough just to have a plan and check the boxes,” says Experian’s Bruemmer. “You need to understand what data you have, how it’s protected. You need to have a plan in place and practice that plan, rehearse it, update it on a quarterly basis, and have tabletop exercises and make it as realistic of an exercise as possible. It’s no different than if you put it in in the same category of as a firedrill. The business continuity and disaster recovery folks understand that, but that hasn’t necessarily made its way all the way into cyber security, planning and responding to a breach.”