Technical helpsheet issued to help ICAEW members understand the requirements of the GDPR in relation to a data breach. Detailed guidance is available from the Information Commissioner’s Office (ICO).
Introduction
This helpsheet has been issued by ICAEW’s Technical Advisory Service to help ICAEW members understand the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 in relation to a data breach. Detailed guidance is available from the Information Commissioner’s Office (ICO).
Members may also wish to refer to the following related helpsheets and guidance:
What is a personal data breach?
The UK GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The ICO suggests there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
What is personal data?
The UK GDPR defines Personal data as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
ICO guidance states that personal data which has been pseudonymised (e.g. the replacement of employee names with employee numbers in a set of data) can help reduce privacy risks by making it more difficult to identify individuals, but is still personal data. Where personal data has been truly anonymised, then the anonymised data is not subject to the UK GDPR as it is no longer personal data.
Examples of personal data breaches
Personal data breaches can be very wide ranging and may include the following examples:
- Unauthorised access to file storage (whether electronic or hardcopy)
- Leaving documents containing personal data on a photocopier/printer in a public area
- Emailing personal data to the wrong recipient
- Accidently deleting or shredding a document or file containing personal data
- Loss of availability of personal data (e.g. server fault)
- Laptops/phones/tablets containing or having access to personal data being lost or stolen
- Cars containing client files being broken into and the files being stolen or there is evidence that they have been read unlawfully
- Passing a client’s contact details onto a third party without a lawful basis to do so
- A staff member downloading a list of client contact details prior to leaving the firm
- A staff member incorrectly updating contact details for the wrong person
Whilst the above are examples of personal data breaches, not all of them would require notification to the ICO and/or the data subject. Further guidance is available in the section Notifications in the event of a personal data breach.
Examples which are not personal data breaches
Whilst the following examples are breaches of the UK GDPR, and a firm should deal with them appropriately, they are not personal data breaches because they do not meet the above definition:
- Failure to respond to a subject access request on time
- Sending marketing information to individuals without their consent
- Loss of data about a deceased individual (as the UK GDPR only applies to living people)
The following section addresses whether personal data breaches are notifiable breaches.
Notifications in the event of a personal data breach
In the event of a personal data breach, a firm must establish the likelihood and severity of the resulting risk to the rights and freedoms of data subjects as this will determine the appropriate notifications. Regard should be given to the ICO’s guidance on personal data breaches, reporting a breach and the European Data Protection Board’s (EDPB) Guidelines on Personal data breach notification.
Please note: The EDPB includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. Although the UK has left the EU, these guidelines continue to be relevant.
In assessing the risk, a firm should have regard to:
- The type of breach
- The nature, severity and volume of personal data
- Whether the breach involves any special category data
- The ease of identification of individuals
- Severity of consequences for individuals
- Specialist characteristics of the individual or the data controller
- The number of affected individuals
Notifying the ICO
A firm does not need to notify the ICO of every personal data breach. Broadly, a firm should establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then the ICO must be notified within 72 hours of becoming aware of the breach. If it’s unlikely and the breach is therefore not notified to the ICO, this must still be documented and justified.
It is important to note that failing to notify a breach when required to do so can result in a significant fine. Firms should therefore develop robust policies and procedures for the identification and notification of personal data breaches and ensure they have good documentary evidence to justify any decision not to notify the ICO.
When a notification is required, it is advisable for the firm to have a clear picture of the issue as soon as possible, however it is acceptable to provide additional information to the ICO later if necessary.
Appendix 1 contains examples of personal data breaches and guidance on whether the ICO needs to be notified.
Notifying the data subject
If a breach is likely to result in a high risk to the rights and freedoms of individuals, those concerned must be informed directly and without undue delay (i.e. as soon as possible). One of the main reasons for the requirement to notify data subjects is to help them take steps to protect themselves from the effects of a breach.
In some cases a breach may require notification to the ICO, but the data subject may not need to be notified, because the risk to the rights and freedoms of the data subject is not deemed to be a ‘high risk’. Again this decision should be documented and justified.
When notifying a data subject about a breach a firm would need to describe in plain and clear language the nature of the personal data breach, a name and contact point for where more information can be obtained, a description of the likely consequences of the breach and a description of measures taken or proposed to be taken to deal with the breach and any possible adverse effects.
Appendix 1 contains examples of personal data breaches and guidance on whether to notify the data subject(s).
Notifying ICAEW
The ICO is the relevant supervisory authority with respect to the UK GDPR, not the ICAEW.
There is no automatic obligation to inform ICAEW of all personal data breaches. If, as a result of a breach, a member and/or firm has become liable to disciplinary action, members may need to report through to ICAEW under their duty to report misconduct. Such circumstances are expected to be extremely rare and the ICAEW would not usually need to be notified of personal data breaches.
Other considerations
Robust policies and procedures ensuring compliance with the UK GDPR will assist in reducing the risk of personal data breaches. Given the short notification time limits, firms need to be prepared to respond to breaches should they occur rather than developing such policies after a breach. Firms should therefore consider the following:
- Do staff know how to recognise a personal data breach?
- Do staff know who to report potential personal data breaches to?
- Do you have a process to document all breaches even if not notifiable?
- Do you know what information you need to provide the ICO in the case of a notifiable breach?
- Do you know how you will investigate breaches?
- Do you know what information you need to provide to a data subject in the case of a notifiable breach?
- Do you have a process to assess the likely risk to individuals as a result of a breach?
- Do you know where all personal data is held so you can identify who may be affected by a breach?
If in doubt seek advice
The ICO is the regulator for data protection in the UK and has its own website and helpline.
ICAEW members, affiliates, ICAEW students and staff in eligible firms with member firm access can discuss their specific situation with the Technical Advisory Service on +44 (0)1908 248 250 or via webchat.
Appendix 1: Personal data breach notification examples
The following examples are intended to provide indicative guidance on whether the ICO and/or the data subject(s) need to be notified in a number of situations and are designed to explore general principles contained within the European Data Protection Board’s (EDPB) Guidelines on Personal data breach notification. The discussion forms an important part of the table.
Scenario |
Notify ICO? |
Notify data subject(s)? |
---|---|---|
Scenario 1 A firm stored a backup of information relating to an individual’s personal tax return on an encrypted USB stick. The USB stick was stolen during a break in. |
No | No |
As long as the USB stick can’t be compromised (i.e. it was state of the art encryption) and other backups exist which can be restored in good time, this may not be a reportable breach. If the security protection on the USB stick is weak, or data is subsequently compromised, this would become a notifiable breach. |
||
Scenario 2 A fault with a firm’s servers causes loss of access to the system and client records (including personal data) are unavailable for a few hours until the fault is rectified. |
No | No |
Whilst this would constitute a breach as the access to personal data was unavailable, this would not likely be a notifiable breach as access was restored in good time. |
||
Scenario 3 |
Yes | Yes |
There is likely to be a high risk to the rights and freedoms of the data subjects concerned and there is therefore a requirement to notify the ICO and the data subjects. |
||
Scenario 4 A firm suffers a ransomware attack which results in all data being encrypted by the attackers so it is inaccessible by the firm. All the firm’s backups have also been encrypted in the same way. Investigation shows that attackers have not been able to obtain the data and it is simply inaccessible to the firm due to the encryption. |
Yes | Yes |
Due to access to the personal data being lost, this is likely to require a notification to the ICO and the data subjects concerned as there are likely to be consequences due to the lack of availability of the data. If however there were unaffected backups which could be restored in a timely fashion, this may not be notifiable as personal data has not been acquired by the attacker and access could be restored. |
||
Given the sensitivity of the personal data disclosed this is likely to result in a high risk to the rights and freedoms of the data subject and both the ICO and the data subject should therefore be notified. |
||
Scenario 5 A member of staff at the firm sends a draft tax return to the wrong client. |
Yes | Yes |
Given the contents of the tax return there is likely to be a high risk to the rights and freedoms of the data subjects concerned and there is therefore a requirement to notify the ICO and the data subject(s) concerned. |
||
Scenario 6 A marketing email is sent out to clients with their personal email addresses in the ‘to’ field so that every recipient can see every other recipient’s email address. |
Yes (usually) |
Yes (usually) |
If no sensitive data is revealed then notification may not be necessary. If any sensitive data is revealed or a large number of email addresses are revealed then a notification may be necessary. An email highlighting that an individual was part of a particular tax scheme and offering advice on it would be considered more sensitive than a more generic email advertising a broad range of the firm’s services. |
||
Scenario 7 A member of staff accidentally deletes personal data relating to tax advice provided from the firm’s server. A back up is available and the data is promptly restored. |
No | No |
This is unlikely to result in a risk to the rights and freedoms of the data subject and therefore there is no requirement to notify the ICO or the data subject. |
||
Scenario 8 A member of staff emails an unencrypted draft tax return to the wrong recipient. |
Yes | Yes |
Given the sensitivity of the personal data disclosed this is likely to result in a high risk to the rights and freedoms of the data subject and both the ICO and the data subject should therefore be notified. |
© ICAEW 2024 All rights reserved.
ICAEW cannot accept responsibility for any person acting or refraining to act as a result of any material contained in this helpsheet. This helpsheet is designed to alert members to an important issue of general application. It is not intended to be a definitive statement covering all aspects but is a brief comment on a specific point.
ICAEW members have permission to use and reproduce this helpsheet on the following conditions:
- This permission is strictly limited to ICAEW members only who are using the helpsheet for guidance only.
- The helpsheet is to be reproduced for personal, non-commercial use only and is not for re-distribution.
For further details members are invited to telephone the Technical Advisory Service T +44 (0)1908 248250. The Technical Advisory Service comprises the technical enquiries, ethics advice, anti-money laundering and fraud helplines. For further details visit icaew.com/tas.
Download this helpsheet
PDF (191kb)
Access a PDF version of this helpsheet to print or save.
Download-
Update History
- 01 Apr 2018 (12: 00 AM BST)
- First published
- 01 Feb 2021 (03: 33 PM GMT)
- Changelog created, helpsheet converted to new template
- 01 Feb 2021 (03: 34 PM GMT)
- Updated for Brexit related changes.
- 26 Apr 2024 (12: 00 AM BST)
- Updated link in Notifying ICAEW sub section to 'duty to report misconduct’ from 2020, to go to 2023 version.