GDPR in practice

Now that you’ve had a broader overview of the information lifecycle, it’s time to take a closer look at the workings of GDPR and reporting a personal data breach.

Figure 1: How GDPR works

How GDPR works

Figure 1 gives a high-level overview of how UK-GDPR works in practice. UK-GDPR define Articles, which are mandatory requirements and laws, and recitals, which are commentaries and guidelines showing how such articles are likely to be interpreted.

The EDPB are the European Data Protection Board. They are currently known as Working Party 29 (WP29). They manage all Supervisory Authorities and are creating guides on various key requirements.

The ICO is the Information Commissioner's Office. They are the UK’s Supervisory Authority (SA) for data protection and UK-GDPR from May 2018.

A DPO is a Data Protection Officer and is the person within an organisation who is responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

The person to whom data refers is the data subject, and UK-GDPR affords them subject rights in respect of their data. They can raise complaints with the ICO (or FCA if it relates to financial matters) if they feel their subject rights have been breached.

Personal data breach

Figure 2: Data breach process

Under UK-GDPR, reporting a personal data breach is now mandatory. This must be done to the Supervisory Authority without undue delay, and within 72 hours of becoming aware of the breach if it is likely to pose a risk to data subjects. 

The ICO know that an organisation may not have completed its investigation or have a full idea of the scale or impact so a phased reporting approach will be applied.

Organisations that fail to report breaches within the 72 hours must demonstrate to the Supervisory Authority why they did not do so and if the ICO deem the delay unjustified, a fine may be imposed. A controller is not obligated to notify a data subject where measures are implemented such as 'rendering] the personal data unintelligible to any person who is not authorised to access it, such as encryption' or the risk is no longer likely to materialise based on subsequent measures taken by the controller as part of its incident management process. If communication to multiple data subjects would involve disproportionate effort, the Regulation requires a public communication or similar measure.

If a breach has occurred that can impact a data subject, the data processors need to notify the data controllers without undue delay.

In reporting the breach, the data controller must consider the number of records exposed, the categories of data exposed, the measures taken to address the breach and the consequences of the breach to the affected data subjects. Data controllers should therefore advise the organisational management of these requirements, as this can impact how they manage any reputational damage on the organisation. The law provides consideration that early disclosure to subjects could hamper a law enforcement investigation and, in such cases if that resulted in a delay in notification, then that has to be advised to the supervisory authority.

The authority will require an assessment of impact as well as measures which had been put in place. Notification to data subjects must be done without undue delay where there is a high risk to their rights and freedoms.

A personal data breach is defined in recital 85 as: 

'A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.'

Organisations should ensure they have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether they need to notify the relevant supervisory authority and the affected individuals.

What’s next?  

Now you’ve got a basic understanding of GDPR and the information life cycle, you’ll move on to look at the development life cycle and see how the two might interlink.