Data breach management: top tips for assessing risk under the GDPR

The EU General Data Protection Regulation (GDPR) requires that, in certain circumstances, controllers who suffer a personal data breach must notify data protection regulators and individuals (data subjects) whose personal data has been compromised. Whether such notifications are required will depend on an assessment of the level of risk resulting from the personal data breach.

Are you ready to assess risk? 

It is Friday afternoon, you get a call from the finance team: the electronic payslips for the whole workforce were accidentally sent to a random supplier an hour ago.   

As well as acting swiftly to mitigate, you have 72 hours to decide whether the incident is likely to result in risk to the workforce and on that basis be notifiable to relevant data protection regulators (Article 32 GDPR).

If so, you also need to make a notification within that timeframe. Not to forget at the same time assessing whether that risk would cross a nebulous threshold into 'high risk' territory, making it notifiable to the workforce as well (Article 34 GDPR).

The key to swift assessments you can have confidence in

Ideally, you have guidance to hand that sets out the business' methodology for assessing risk to data subjects which aligns with regulator's views and other trusted guidance. 

This saves time, fosters a consistent approach to risk assessment and provides a sound basis for making assessments.

When assessing risk, controllers must carry out an objective assessment and take into account a combination of factors, namely, the severity of the potential impact on the rights of the data subjects and the likelihood of these occurring.  

Having these factors documented in guidance means they are less likely to be forgotten in the heat of the moment.

Controllers must also document their risk assessment and maintain a log of personal data breaches (reportable and non-reportable). Your guidance should ideally include an assessment template for documenting risk assessments.

Act fast to mitigate

The immediate concern for any organisation suffering a breach is to contain it, such as blocking a cyber-attack or asking the wrong recipient to delete information sent to them in error (as in the example above).

Assessing the risk resulting from a breach is crucial in the early stages of breach management because it helps organisations contain and address the breach as well as determine whether it is notifiable.  

Taking swift and effective mitigation action could make a difference in terms of whether or not a breach is notifable and/or complaints are made by data subjects.

There are other clear benefits to making a speedy decision. First, where data subjects need to be told what precautions they have to take and receive advice and support from the controller on how to mitigate any potential negative impact resulting from the breach (e.g. change of password, credit card replacement). If managed efficiently and in a user-friendly manner, this will reduce the risk of complaints.

Acting fast is also to the advantage of controllers in the event of regulatory scrutiny, as the GDPR lists effort to mitigate damage suffered by data subjects as one of the factors which should be taken into account when deciding on the amount of a fine.

Our top 5 factors to take into account when assessing risk

Here are some tips on the elements to consider when assessing risk:

1. Security: if your organisation has suffered a breach, the saving grace could well be if the personal data in question is rendered unintelligible to anyone who shouldn't see it by use of e.g. sufficiently strong encryption.  Unfortunately, this is too rarely the case but worth asking the question just in case.  If not unintelligible, what other security measures might have been in place such as masking of data that would make it more difficult to identify data subjects?
2. Personal data involved: what type of personal data has been compromised, how many records are involved or who the affected data subjects are, are significant factors for any assessment. The compromise of sensitive data (e.g. credit card or other financial data, passport number, health information) normally indicates a much higher risk. However, information of lower sensitivity used in combination with sensitive data or by itself, if very granular, may still result in risk of harm because it could, for example, allow fraudsters to obtain a more accurate picture of the data subject. How easy it would be to identify the data subjects would also be an important consideration; this will sometimes depend on the technology that has been implemented. If the affected data subjects belong to an especially vulnerable group (e.g. children), the risk will increase.
3. Consequences for data subjects: for instance, the possibility of being a victim of identity theft or fraud, physical danger, distress, public disgrace would be considered severe consequences and 'high risk'.  On the other hand, the potential for some minor inconvenience, such as temporary unavailability of a non-crucial account, would not.
4. Circumstances of the breach: circumstances such as a malicious exfiltration of data from systems compared with an accidental disclosure can make a significant difference to the likelihood of harm to data subjects.
5. Type of controller: the activities of the controller may contribute to the risk of a breach, for instance, a medical organisation is more likely to process sensitive data of patients, which, subject to a breach, it more likely to be reportable.

Leading by example

Sample scenarios published by regulators can be very helpful for sense checking your own risk assessments against.

Many EU data protection regulators offer guidance about how to assess breaches. The EDPB (a body including all EU data protection regulators) provides a helpful annex in its breach notification guidance paper with examples of breaches and a brief assessment of whether they are notifiable or not[1].

It will be helpful to also be familiar with the guidance of the business' lead data protection regulators and/or the local data protection regulators the business is more likely to need to notify.

The UK data protection regulator (ICO) provides many useful examples of breaches in its on-line guidance[2]. The French data protection regulator (CNIL) has also issued guidance on this topic[3].
The Spanish data protection regulator (AEPD) suggests the application of a formula whereby risk is calculated on the basis of the following parameters (each of which is given a numerical value) i.e. personal data involved, the potential impact on the data subject and the volume of the data. Breaches scoring higher than a certain set value would then be reportable[4].

Get ready!

Controllers suffering a breach are required to act under significant time pressure. It is therefore crucial that controllers are clear on how to appropriately carry out risk assessments. Improvisation may lead to confusion and rushed decisions.

As well as having a risk assessment guidance in place, it helps to have a personal data breach response policy which describes who should do what in a personal data breach situation and provide a toolkit for the breach team to work with. This might include, for example template questionnaires for investigating incidents, legal hold letters and a 'quick look' checklist for responding to a personal data breach. 

Training staff through mock breaches will help the team prepare for a swift and effective breach response and is the best way to ensure that the procedures 'on paper' work in practice.