Breach of the General Data Protection Regulation (GDPR) – when should I report it?

In recent months there have been a number of high profile breaches with respect to data protection laws, including Yahoo! UK Services Limited who were fined £250,000, Gloucestershire Police who were fined £80,000, Dixons Carphone and British Airways. Dixons Carphone and British Airways are likely to be the first breaches that have been reported under the new GDPR and are currently still under investigation by the Information Commissioner’s Office (ICO).
Under the GDPR, there is a requirement to report any relevant breaches within 72 hours of becoming aware of the breach, where feasible. In addition to this, there is also an obligation to inform individuals who are likely to be affected.

It is important to note that not all breaches need to be reported to the ICO and on discovering a breach you should assess whether it needs to be reported or not. The ICO and the GDPR itself does provide guidance to what a relevant breach is. The ICO identifies that a relevant breach would be one that it likely to affect people’s rights and freedoms or there is a risk that it will affect people’s rights and freedoms. The GDPR explains that:
A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
It is therefore important to assess each breach on a case by case basis and look at all relevant factors. It is useful to look at the reported breaches I have mentioned above in determining what breaches to report:
• In the case of Dixons Carphone, it has been reported that the data breach involved 10 million customers. The personal information that was accessed included names, addresses and email addresses as well as details of payment cards.

• In the case of British Airways, it is currently reported that approximately 380,000 transactions were affected and included personal information and financial details of customers. The British Airways is a good example of how a breach was reported within the 72 hour time period required under the GDPR as the breach was discovered in the evening of 5th September. Affected customers were informed in the evening of 6th September and it was reported on 6th September. They also took steps in advertising the breach in newspapers to make all customers aware.

It is likely that Dixons Carphone and British Airways will be the first two to fall under the GDPR and so it will be interesting in the coming months to see how these breaches are assessed by the ICO and if any fines are given as a result of the breaches.
It is important to note that if you assess that the breach is not a relevant breach for the purposes of reporting to the ICO, you must document your assessment of the breach and justification for not reporting it. It is also important to have contracts in place with any suppliers or third parties that you transfer personal data to or who process personal data on your behalf, putting in place obligations for these third parties to inform you of breaches within 24 hours of becoming aware so that you have time to conduct your assessment before the 72 hour period expires.

If you require any further information with respect to reporting breaches under GDPR, Data Sharing Agreements or GDPR in general, please contact Lorna Kempsell on 01638 560556 or lkempsell@edmondsonhall.com.