How should you deal with a personal data breach? Farina Azam, head of commercial at Travlaw, offers practical steps and advice.
With the ICO recently imposing large fines against Marriott International and British Airways (almost £100 million and £183 million respectively) for their now-infamous data security breaches, it’s important to consider what to do if you have to deal with a breach that affects the confidentiality, integrity or availability of your clients’ personal data.
If you’ve become aware of a security incident, firstly investigate the facts to determine the nature and cause of the breach and the extent of the damage or harm that results from the breach.
Is the security incident ongoing? If so, take action to stop the data security breach from continuing or recurring.
Determine the identity of the data controller for the purpose of the data security breach. The data controller is the party that determines the purpose for and manner in which personal data is processed.
Has any personal data been affected? If so, what types of personal data, such as name, address or date of birth?
Has any “sensitive” personal data been affected? This includes information on disabilities or medical conditions, ethnic origin, sexual orientation or religious beliefs. Also consider whether payment or credit card and passport details have been affected.
Has any other information been disclosed which, when taken in conjunction with other personal information, could have an adverse impact? For example, a customer’s dates of travel in conjunction with their address details.
Has the information been received or accessed by a third party? If so, do you know who this third party is?
Consider the timeline. If the security incident was temporary, how long was the personal data accessible or at risk for?
The General Data Protection Regulation (GDPR) requires controllers to notify the ICO of all personal data breaches without undue delay and, where feasible, within 72 hours if the data breach is likely to result in a risk to the rights and freedoms of data subjects affected by the breach.
If the personal data breach is likely to result in a high risk of adversely affecting data subjects’ rights and freedoms, controllers must inform the data subjects as soon as possible. In assessing risk to rights and freedoms, it’s important to focus on the potential negative consequences for the affected individuals.
The GDPR explains that a breach can, if not addressed in an appropriate and timely manner, result in physical, material, or non-material damage to individuals. These could include: limitation of their rights; discrimination; identity theft or fraud; or financial loss or damage to reputation.
It can also include any other significant economic or social disadvantage to those individuals, including emotional distress.
A hotel, which holds a copy of guests’ scanned passports to verify addresses and nationalities, discovers an unauthorised third party has downloaded all their customers’ information. The hotel should inform both the ICO and the affected customers, as there is a high risk this information could be used for identity theft or fraud, thereby having a significant adverse effect on the affected customers.
Security-related events should be handled by a responsible person or team that will address incidents.
Risk to individuals as a result of a breach should be assessed (likelihood of no risk, risk or high risk) with relevant sections of the organisation being informed.
Notification to the ICO and affected individuals should be made.
Documentation of the breach should take place as it develops.