Menu
Menu

Personal data breach

A personal data breach is described as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

In general terms, a personal data breach is therefore a security incident that has affected the confidentiality, integrity or availability of personal data and may involve:

In summary, when any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example encrypted by ransomware, a personal data breach will have occurred.

The effect upon an individual

The effect on the individual is the determining factor in whether a personal data breach must:

  1. be reported to the Commissioner; and
  2. be advised to the affected individual(s).

Whilst some personal data breach will not lead to risks beyond inconvenience, others can adversely affect individuals whose personal data has been compromised. This can include emotional distress, and physical and material damage. 

If not addressed, a personal data breach can cause significant harm to individuals; for example, an individual may suffer from identity theft or fraud, financial loss, damage to reputation, or other significant economic or social disadvantage. In responding to a personal data breach a controller and processor must, therefore, consider all relevant factors and objectively assess the risks to an individual.

Controllers should already have made some assessment of the risk that the processing poses to individuals, and taken it into account, when determining what level of security was appropriate for the personal data being processed.  

Basic obligations

Controllers are required to notify a personal data breach to the Commissioner without undue delay and, where feasible, within 72 hours after becoming aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of an individual.

If a personal data breach is likely to result in a high risk to the rights and freedoms of affected individuals, then the controller must also inform affected individuals without undue delay.

Controllers must maintain documentation to demonstrate compliance with Article 33, in particular as to whether, and how, the personal data breach is "unlikely" to result in a risk to the rights and freedoms of an individual.  The minimum information that must be included, in addition to that necessary to be included in a notification to the Commissioner, is specified in Article 33(5).  The documentation forms part of a controllers obligations under Article 24 to demonstrate compliance with the Applied GDPR and must be made available to the Commissioner and enable the Commissioner to "verify" the controller's compliance with Article 33.

Where a processor suffers a personal data breach, the processor must notify the controller without undue delay.

These obligations are set out in Articles 33 & 34 and further explained in Recitals 85 to 88 of the Applied GDPR. 

What can happen if a personal data breach is not notified?

Failing to notify a breach when required to do so can result in a penalty of up to £1,000,000. The Commissioner may also combine a penalty with other corrective powers under Article 58 of the Applied GDPR.

Controllers subject to the supervision of an EU data protection authority may be subject to a penalty up to €10 million or 2 per cent of global turnover.

It is therefore important to have a robust breach-reporting process in place.

EDPB Guidelines 

The Commissioner has regard to the following guidelines issued by the EDPB, applying them in the context of the Island.