Implementation guidance
The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document
This procedure sets out how the organization acting as a controller will meet, as a minimum, the notification requirements of relevant privacy legislation (assumed to be the GDPR) in the event of a breach of personal data.
Areas of the framework addressed
The following areas of the Cybersecurity Framework are addressed by this document:
• Respond (RS)
o Incident Response Reporting and Communication (RS.CO)
▪ RS.CO-02
General guidance
Although this document is specific to the GDPR, it may be used as a template for compliance with the notification requirements for other legislation also.
The GDPR is specific in terms of the information that must be provided to the supervisory authority if a breach happens and the conditions that must be met if notification to data subjects is required. It is important to understand these requirements and be able to take considered decisions regarding notification that not only comply with the GDPR, but also meet the organization’s business and ethical needs and aspirations.
Note that this procedure applies mainly to the situation where the organization is a controller for the personal data involved. If the organization is a processor, the main obligations are to inform the data controller so that they can fulfil their obligations regarding breach notification, and this situation is also covered in this procedure.
Review frequency
We would recommend that this document is reviewed at least annually and after every relevant incident or test.
Document fields
This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.
To update this field (and any others that may exist in this document):
1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.
2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).
3. Press F9 on the keyboard to update all fields.
4. When prompted, choose the option to just update TOC page numbers.
If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.
If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.
Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice
Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms
This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.
If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk.
Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.
Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.
You should take all reasonable and proper legal and other professional advice before using this document.
CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Personal Data Breach Notification Procedure
Revision history
Distribution
1 Introduction
This procedure is intended to be used when an incident of some kind has occurred that has resulted in, or is believed to have resulted in, a loss of personal data. This document should be used in conjunction with the Information Security Incident Response Procedure which describes the overall process of reacting to an incident affecting the information security of [Organization Name]
It is a requirement of the EU General Data Protection Regulation 2016 (GDPR) that incidents affecting personal data that are likely to result in a risk to the rights and freedoms of data subjects must be reported to the data protection supervisory authority by the controller without undue delay and where feasible, within 72 hours of becoming aware of it. If the 72hour target is not met, reasons for the delay must be given.
In the situation where we are acting as a processor, there is an obligation to inform the controller(s) of the personal data about the breach “without undue delay”.
Where an incident affects personal data for which we are a controller, a decision must be taken regarding the extent, timing and content of communication with data subjects. The GDPR requires that communication must happen “without undue delay” if the breach is likely to result in “a high risk to the rights and freedoms of natural persons”.
The actions set out in this document should be used only as guidance when responding to an incident. The exact nature of an incident and its impact cannot be predicted with any degree of certainty and so it is important that a good degree of common sense is used when deciding what to do. However, it is intended that the steps set out here will prove useful in ensuring that our obligations under the GDPR are fulfilled.
This procedure should be considered in conjunction with the following related documents:
• Information Security Incident Response Procedure
• Incident Response Plan Data Breach
• Records Retention and Protection Policy
• Privacy and Personal Data Protection Policy
2 Personal data breach notification procedure
Once it has been decided that a breach of personal data has occurred, there are three parties who may be required by the GDPR to be informed. These are:
• The controller(s) of the personal data
• The supervisory authority
• The data subjects affected
It is not a foregone conclusion that the breach must be notified; this depends upon an assessment of the risk that the breach represents to “the rights and freedoms of natural persons” (GDPR Article 33). The following sections describe how this decision must be taken and what to do if notification is required.
2.1 Controller(s) of the personal data
Where [Organization Name] is acting as a processor of personal data on behalf of one or more controllers, there is an obligation to inform each controller about the breach “without undue delay”. It will then be up to the controller to decide whether it needs to be reported, and to take subsequent actions.
In order to allow the controller to meet the requirements of the GDPR, [Organization Name] will need to provide the following information to them:
• The date and time that the breach was discovered
• The date and time that the breach is believed to have occurred
• The data items included, for example name, address, bank details, biometrics
• The volume of data involved
• The number of data subjects affected
• The nature of the breach, for example theft, accidental destruction
• Whether the personal data was encrypted
• If encrypted, the strength of the encryption used
• To what extent the data was pseudonymized (i.e. whether living individuals can reasonably be identified from the data)
• The actions that have been taken to manage the impact of the breach
• Contact details of the person handling the breach within our organization
• Any other factors that are deemed to be relevant
Where more than one controller is involved, care must be taken to ensure that only information about each individual controller’s personal data is provided.
2.2 The supervisory authority
Where [Organization Name] is the controller of the personal data involved, the relevant supervisory authority may need to be informed. The supervisory authority for the purposes of the GDPR for [Organization Name] is as follows: NAME
TELEPHONE
FAX
Where [Organization Name] operates internationally, the details above are for the supervisory authority in the country of its main establishment or marketplace
2.2.1 Deciding whether to notify the supervisory authority
The GDPR states that a personal data breach shall be notified to the supervisory authority “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” (GDPR Article 33). This requires that the organization assess the level of risk before deciding whether to notify.
Factors to be considered as part of this risk assessment should include:
• Whether the personal data was encrypted
• If encrypted, the strength of the encryption used
• To what extent the data was pseudonymized (i.e. whether living individuals can reasonably be identified from the data)
• The data items included, for example name, address, bank details, biometrics
• The volume of data involved
• The number of data subjects affected
• The nature of the breach, for example theft, accidental destruction
• Any other factors that are deemed to be relevant
Parties involved in this risk assessment may include representatives from the following areas, depending on the nature and circumstances of the personal data breach:
• Senior management
• Business area(s)
• Technology
• Information security
• Legal
• Data protection officer
• External consultants
• Others
The risk assessment method, its reasoning and its conclusions should be fully documented and signed off by top management. The result of the risk assessment should include one of the following conclusions:
• The personal data breach does not require notification
• The personal data breach requires notification to the supervisory authority only
• The personal data breach requires notification both to the supervisory authority and to the affected data subjects
These conclusions may be subject to change based on feedback from the supervisory authority and further information that is discovered as part of the ongoing investigation of the breach.
2.2.2 How to notify the supervisory authority
If it is decided to notify the supervisory authority, the GDPR requires that this be done “without undue delay and, where feasible, not later than 72 hours after having become aware of it” (GDPR Article 33). If there are legitimate reasons for not having given the notification within the required timescale, these reasons must be given as part of the notification.
The notification should be given via appropriate secure means to the body listed in Table 1, using the form Personal Data Breach Notification Form as a template.
The following information must be given as part of the notification:
• The nature of the personal data breach, including, where possible:
o Categories and approximate number of data subjects concerned
o Categories and approximate number of personal data records concerned
• Name and contact details of the data protection officer or other contact point where more information may be obtained
• A description of the likely consequences of the personal data breach
• A description of the measures taken or proposed to be taken to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects
• If the notification falls outside of the 72-hour window, the reasons why it was not submitted earlier
Written confirmation should be obtained from the supervisory authority that the personal data breach notification has been received, including the date and time at which it was received. Where necessary, the GDPR allows the information to be provided in phases without undue further delay.
Documentation of the personal data breach, including its effects and the remedial action taken, will be produced as part of the Information Security Incident Response Procedure
2.3 Data subjects
Where [Organization Name] is the controller of the personal data involved, the affected data subjects may also need to be informed.
2.3.1 Deciding whether to notify data subjects
The GDPR states that a personal data breach shall be notified to the data subject “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons” (GDPR Article 34). Note the addition of the word “high” over and above the definition given in Article 33.
The risk assessment carried out earlier in this procedure (section 2.2.1) will have determined whether the risk to the rights and freedoms of the data subjects affected is judged to be sufficiently high to justify notification to them.
However, if measures have subsequently been taken to mitigate the high risk to the data subjects, so that it is no longer likely to happen, then communication to the data subjects is not required by the GDPR.
Notification to affected data subjects is also not mandated by the GDPR where it “would involve disproportionate effort” (GDPR Article 34). However, in this case a form of public communication should be used instead.
Again, this may change based on feedback from the supervisory authority and further information that is discovered as part of the ongoing investigation of the breach.
2.3.2 How to notify data subjects
Once it has been decided that the breach justifies communication to the data subjects affected, the GDPR requires that this be done without undue delay.
The communication to the affected data subjects “shall describe in clear and plain language the nature of the personal data breach” (GDPR Article 34) and must also cover:
• Name and contact details of the data protection officer or other contact point where more information may be obtained
• A description of the likely consequences of the personal data breach
• A description of the measures taken or proposed to be taken to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects
In addition to the points required by the GDPR, it may be appropriate to offer advice to the data subject regarding actions they may be able to take to reduce the risks associated with the personal data breach.
In most cases it will be appropriate to notify affected data subjects via letter or email or both in order to ensure that the message has been received and that they have an opportunity to take any action required.