Personal Data Breach
Notification Procedure
ISO/IEC 27001 Toolkit: Version 13
ISO/IEC 27001 Toolkit: Version 13
The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
This procedure sets out how the organization acting as a controller will meet, as a minimum, the notification requirements of relevant privacy legislation (assumed to be the GDPR) in the event of a breach of personal data.
This document addresses the following sections of the ISO/IEC 27001 standard:
• A.5 Organizational controls
o A.5.24 Information security incident management planning and preparation
o A.5.26 Response to information security incidents
o A.5.34 Privacy and protection of PII
This document may be used as a template for compliance with the notification requirements for a range of privacy legislation that may apply to your organization.
Privacy legislation is usually specific in terms of the information that must be provided to the regulator if a breach happens and the conditions that must be met if notification to data subjects is required. It is important to understand these requirements and be able to take considered decisions regarding notification that not only comply with the legislation, but also meet the organization’s business and ethical needs and aspirations.
Note that this procedure applies mainly to the situation where the organization is a controller for the personal data involved. If the organization is a processor, the main obligations are to inform the data controller so that they can fulfil their obligations regarding breach notification, and this situation is also covered in this procedure.
We would recommend that this document is reviewed at least annually and after every relevant incident or test.
This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.
To update this field (and any others that may exist in this document):
1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.
2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).
3. Press F9 on the keyboard to update all fields.
4. When prompted, choose the option to just update TOC page numbers.
If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.
If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.
Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice
Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.
If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.
Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.
You should take all reasonable and proper legal and other professional advice before using this document.
CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Personal Data Breach Notification Procedure [Insert classification]
DOCUMENT CLASSIFICATION [Insert classification]
DOCUMENT REF ISMS-DOC-A05-34-2
VERSION 1
DATED [Insert date]
DOCUMENT AUTHOR [Insert name]
DOCUMENT OWNER [Insert name/role]
date]
Personal Data Breach Notification Procedure
NAME
NAME
This procedure is intended to be used when an incident of some kind has occurred that has resulted in, or is believed to have resulted in, a loss of personal data (also referred to as PII, personally identifiable information). This document should be used in conjunction with the Information Security Incident Response Procedure which describes the overall process of reacting to an incident affecting the information security of [Organization Name]
This document acts as a general guide to the breach notification process and must be used in the context of the specific privacy laws that apply to [Organization Name]
It is a requirement of many privacy laws that incidents affecting personal data that are likely to result in a risk to the rights and freedoms of data subjects must be reported to the appropriate data protection supervisory authority by the controller without undue delay and where feasible, within a specific timeframe of becoming aware of it. If the timeframe target is not met, reasons for the delay must be given.
In the situation where we are acting as a processor, there is a general obligation to inform the controller(s) of the personal data about the breach without undue delay.
Where an incident affects personal data for which we are a controller, a decision must be taken regarding the extent, timing and content of communication with data subjects. In the case of many privacy laws the communication must happen without undue delay if the breach is likely to result in a high risk to the data subject
The actions set out in this document should be used only as guidance when responding to an incident. The exact nature of an incident and its impact cannot be predicted with any degree of certainty and so it is important that a good degree of common sense is used when deciding what to do. However, it is intended that the steps set out here will prove useful in ensuring that our obligations under the applicable legislation are fulfilled.
This procedure should be considered in conjunction with the following related documents:
• Information Security Incident Response Procedure
• Incident Response Plan Data Breach
• Records Retention and Protection Policy
• Privacy and Personal Data Protection Policy
Once it has been decided that a breach of personal data has occurred, there are three parties who may be required to be informed. These are:
• The controller(s) of the personal data
• The supervisory authority (or similar regulatory body, see Table 2)
• The data subjects affected
It is not a foregone conclusion that the breach must be notified; this depends upon an assessment of the risk that the breach represents. The following sections describe how this decision must be taken and what to do if notification is required.
Where [Organization Name] is acting as a processor of personal data on behalf of one or more controllers, there is an obligation to inform each controller about the breach without undue delay. It will then be up to the controller to decide whether it needs to be reported, and to take subsequent actions.
In order to allow the controller to meet the requirements of the applicable legislation, [Organization Name] will need to provide the following information to them:
• The date and time that the breach was discovered
• The date and time that the breach is believed to have occurred
• The data items included e.g. name, address, bank details, biometrics
• The volume of data involved
• The number of data subjects affected
• The nature of the breach, for example theft, accidental destruction
• Whether the personal data was encrypted
• If encrypted, the strength of the encryption used
• To what extent the data was pseudonymised (i.e. whether living individuals can reasonably be identified from the data)
• The actions that have been taken to manage the impact of the breach
• Contact details of the person handling the breach within our organization
• Any other factors that are deemed to be relevant
Where more than one controller is involved, care must be taken to ensure that only information about each individual controller’s personal data is provided.
Personal Data Breach Notification Procedure
Where [Organization Name] is the controller of the personal data involved, the relevant supervisory authority (or similar regulatory body, see Table 2) may need to be informed. The main supervisory authority for [Organization Name] is as follows:
NAME
Table 1: Supervisory authority contact details
Where [Organization Name] operates internationally, the details above are for the supervisory authority in the country of its main establishment or marketplace.
The following table shows the reporting requirements, regulatory authority and reporting timescales for the applicable privacy legislation. [Adjust the contents of the table according to the countries and states in which your organization operates]
Title Reporting requirements Report to Reporting period post breach
California Consumer Privacy Act (CCPA)
Virginia Consumer Data Protection Act (VCDPA)
Under the CCPA, if a business experiences a data breach that involves the unauthorized access and exfiltration, theft, or disclosure of personal information, and if the business determines that the breach is likely to result in a significant risk of harm to consumers, the business is required to provide notice to affected consumers.
VCDPA requires businesses to implement reasonable security measures to protect personal data. In the event of a data breach that is likely to result in harm to consumers, the VCDPA generally requires businesses to notify the Virginia Attorney General within a reasonable time but no later than 45 days after discovering the breach.
California Attorney General None specified at time of writing
Virginia Attorney General <=45 days
Personal Data Breach Notification Procedure [Insert classification]
Title Reporting requirements Report to Reporting period post breach
New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act,
[Add other US regulations specific to privacy as required]
Businesses must provide notice to affected individuals and, in certain circumstances, to the New York Attorney General and the New York Department of State. The law specifies the content and timing of the notifications.
Notice to affected individuals and, in certain circumstances, to the New York Attorney General and the New York Department of State.
EU GDPR By law, a personal data breach must be reported to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours.
UK GDPR By law, a personal data breach must be reported to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours.
Relevant EU state’s Information Commissioner’s Office 72 hours
UK’s Information Commissioner’s Office 72 hours
Privacy legislation may state that a personal data breach shall be notified to the supervisory authority unless the personal data breach is unlikely to result in a risk to the data subject. This requires that the organization assess the level of risk before deciding whether to notify.
Factors to be considered as part of this risk assessment should include:
• Whether the personal data was encrypted
• If encrypted, the strength of the encryption used
• To what extent the data was pseudonymised (i.e. whether living individuals can reasonably be identified from the data)
• The data items included e.g. name, address, bank details, biometrics
• The volume of data involved
• The number of data subjects affected
• The nature of the breach e.g. theft, accidental destruction
• Any other factors that are deemed to be relevant
Parties involved in this risk assessment may include representatives from the following areas, depending on the nature and circumstances of the personal data breach:
• Senior management
• Business area(s)
• Technology
• Information security
• Legal
• Data protection officer
• External consultants
• Others
The risk assessment method, its reasoning and its conclusions should be fully documented and signed off by top management. The result of the risk assessment should include one of the following conclusions:
• The personal data breach does not require notification
• The personal data breach requires notification to the supervisory authority only
• The personal data breach requires notification both to the supervisory authority and to the affected data subjects
These conclusions may be subject to change based on feedback from the supervisory authority and further information that is discovered as part of the ongoing investigation of the breach.
If it is decided to notify the supervisory authority, this should be done without undue delay and, where feasible, not later than the applicable timeframe after having become aware of it. If there are legitimate reasons for not having given the notification within the required timescale, these reasons must be given as part of the notification.
The notification should be given via appropriate secure means to the body listed in Table 1, using the form Personal Data Breach Notification Form as a template.
The following information must be given as part of the notification:
• The nature of the personal data breach, including, where possible:
o Categories and approximate number of data subjects concerned
o Categories and approximate number of personal data records concerned
• Name and contact details of the data protection officer or other contact point where more information may be obtained
• A description of the likely consequences of the personal data breach
• A description of the measures taken or proposed to be taken to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects
• If the notification falls outside of the required window, the reasons why it was not submitted earlier
Written confirmation should be obtained from the supervisory authority that the personal data breach notification has been received, including the date and time at which it was received. Where necessary, the legislation may allow the information to be provided in phases without undue further delay.
Documentation of the personal data breach, including its effects and the remedial action taken, will be produced as part of the Information Security Incident Response Procedure
Where [Organization Name] is the controller of the personal data involved, the affected data subjects may also need to be informed.
2.3.1
Some privacy legislation states that a personal data breach shall be notified to the data subject when the personal data breach is likely to result in a high risk to the data subject. Note the addition of the word “high” over and above the definition given previously
The risk assessment carried out earlier in this procedure (section 2.2.1) will have determined whether the risk to the data subjects affected is judged to be sufficiently high to justify notification to them.
However, if measures have subsequently been taken to mitigate the high risk to the data subjects, so that it is no longer likely to happen, then communication to the data subjects may not be required
Notification to affected data subjects may also not be mandated by privacy legislation where it would involve disproportionate effort. However, in this case a form of public communication should be used instead.
Again, this may change based on feedback from the supervisory authority and further information that is discovered as part of the ongoing investigation of the breach.
Once it has been decided that the breach justifies communication to the data subjects affected, this must be done without undue delay.
The communication to the affected data subjects should describe in clear and plain language the nature of the personal data breach and must also cover:
• Name and contact details of the data protection officer or other contact point where more information may be obtained
• A description of the likely consequences of the personal data breach
• A description of the measures taken or proposed to be taken to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects
In addition to the above points, it may be appropriate to offer advice to the data subject regarding actions they may be able to take to reduce the risks associated with the personal data breach.
In most cases it will be appropriate to notify affected data subjects via letter or email or both in order to ensure that the message has been received and that they have an opportunity to take any action required.