Managing Personal Data Breaches

Introduction

The fluidity and intricate nature of data makes it particularly complex to manage personal data breaches due to the volume, velocity and variety of data churned out in today’s digital ecosystem. This complexity is further amplified by the varied scope of personal data breaches. As organizations embark on the journey to demystify personal data, they must disambiguate security incidents from personal data breaches and adhere to the data protection principle of integrity and confidentiality. Whereas there isn’t a one size fits all approach to managing personal data breaches, this paper will enlighten the reader on how to manage these breaches under two legal frameworks; the General Data Protection Regulation (GDPR) and Uganda’s Data Protection and Privacy Act, 2019 (DPPA). The author appreciates the far reaching hand of the GDPR and recommends that in addition to adhering to the domestic law, organizations should strive to adhere to the GDPR — a regulation that has been acclaimed as a yardstick for international best practice.

What is a personal data breach?

Recital 87 of the GDPR states that when a security incident takes place, quickly establish whether a personal data breach has occurred and promptly take steps address it. The regulation contemplates that not all security incidents result in personal data breaches which then makes it critical to define a personal data breach. A personal data breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed which may in particular lead to physical, material (e.g. financial loss) or non-material damage (e.g. identity theft). Broadly defined as a security incident that affects the confidentiality, integrity and availability of personal data.

In order to address a breach, a controller should be able to recognize whether the breach is one of confidentiality, integrity or availability. A confidentiality breach occurs where there is an unauthorized or accidental disclosure of or access to personal data. An integrity breach occurs where there is an unauthorized or accidental alteration of personal data and an availability breach occurs where there is an accidental or an unauthorized loss of access to or destruction of personal data.

Personal data breaches may emanate from security incidents such as ransomware attacks, data exfiltration attacks but they may also emanate internally where employees accidentally send emails to wrong recipients or in instances where devices containing personal data are lost or misplaced. A personal data breach is not limited to digital platforms but may also occur if documents containing personal data are misplaced or posted through snail mail to a wrong recipient. What is fundamentally crucial is the ability to identify when a personal data breach has occurred so as to determine what steps should be taken to address or mitigate the breach taking into account the nature, scope as well as the risks and severity to the rights and freedoms of data subjects.

Duty to notify the supervisory authority

The GDPR introduces a requirement to notify the supervisory authority of personal data breaches. Article 33 of the GDPR states that in case of a personal data breach, the controller must without undue delay and where feasible, not later than 72 hours after having become aware of it, notify the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification is not made within 72 hours, it must be accompanied by reasons for the delay.

It is notable that under the regulation, not all personal data breaches warrant notification to the supervisory authority. The Data controller has the discretion to determine whether the breach will result in a risk to the rights and freedoms of the data subjects. Such discretion must be exercised judiciously. For example, if an employee accidentally deletes a client’s personal data but this data can be accessed from the company’s back up, the company may not need to report this availability breach to the supervisory authority.

Uganda’s DPPA, on the other hand, imposes a duty on the Data controller, Data Collector and Data Processor to immediately inform the Authority (National Information Technology Authority) of any data breach. The Act removes any room for ambiguity — all breaches must be brought to the attention of the Authority.

The notification to the supervisory authority should at least;

· describe the nature of the personal data breach including where possible; the categories and approximate number of data subjects concerned; the categories and approximate number of personal data records concerned;

· include the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;

· describe the likely consequences of the personal data breach; and

· describe the measures taken or proposed to be taken by the controller to address the personal data breach including where approximate measures to mitigate its possible adverse effects.

The GDPR acknowledges that this information may not be available to the Data Controller and allows the Data Controller to provide the information in phases without undue further delay.

Duty to notify the data subjects

Article 34 of the GDPR states that where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the personal data breach to the data subject without undue delay. Such breaches may, if not addressed in a an appropriate and timely manner, result in physical, material or non-material damage to the Data Subjects such as loss of control over their personal data, discrimination, identity theft, financial loss, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Once again, under the GDPR, the controller has the discretion to determine whether the Data Subject should be informed. For example, if a bank’s system is hacked and their clients’ financial data are exfiltrated, the bank has an obligation to notify the Data Subjects without undue delay.

The communication to the data subject must describe, in clear and plain language, the nature of the personal data breach and contain;

· the name and contact details of the Data Protection Officer or other contact point where more information can be obtained.

· describe the likely consequences of the personal data breach.

· describe the measures taken or proposed to be taken by the controller to address the personal data breach including where approximate measures to mitigate its possible adverse effects.

The notification has to provide sufficient information to allow the data subject to take protective measures against the consequences of the unauthorized access. However, communication to the data subject is not required if any of the following conditions are met:

· The controller has implemented appropriate technical and organizational protection measures and those measures have been applied to the personal data affected by the breach, in particular, those that render the personal data unintelligible to any person who is not authorized to access it such as encryption.

· The controller has taken subsequent measures which ensure that the high risk to the rights and fundamental freedoms of data subjects is no longer likely to materialize.

· It would involve disproportionate effort. In such a case, there should instead be a public communication or similar measures where by the data subjects are informed in an equally effective manner.

On the other hand, according to the DPPA, it is the Authority which determines whether the Data subject should be notified. Where the Authority determines that the Data Subject should be notified, then the notification must be made by either of the following methods:

· Registered mail to the data subject’s last known residential or postal address;

· Electronic mail to the data subject’s last known e-mail address;

· Placement in a prominent position on the responsible party’s website; or

· Publication in mass media.

Exercising the discretion under the GDPR may be somewhat perplexing for Data Controllers. Nonetheless, Data Controllers must at all times keep and maintain a register of all personal data breaches whether or not they were reported. It may help to have an internal measurement framework for determining a risk that warrants reporting to the Supervisory Authority or a high risk that warrants reporting to the Data Subject or both.

Technical and organizational measures

One of the most important obligations of the data controller is to evaluate risks and implement appropriate technical and organizational measures to address them. According to Article 5 (f) of the GDPR, personal data must be processed in a manner that ensures appropriate security of the personal data including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Section 20 of the DPPA imposes a duty upon the data controller, data collector and data processor to secure data subjects’ personal data in line with the integrity and confidentiality principle of data protection. Below are some measures that may be employed to manage or mitigate personal data breaches:

· Robust data protection impact assessments will facilitate identification of reasonably foreseeable internal and external risks to personal data.

· Pseudonymization and encryption of personal data.

· E-mails should be sent under blind carbon copy (bcc).

· Disable auto complete when typing e-mail addresses.

· Encourage employees to double check files before sending them.

· Ensure that all mobile devices containing personal data have very strong passwords.

· Turn on mobile device functionalities that enable them to be located in case they are lost.

· Employ multi- factor authentication methods.

· Ensure that you have robust breach detection, investigation and internal reporting procedures.

· Training and awareness on data protection issues focusing on personal data breach.

· Keep all documents containing personal data in secure locations.

· Establish proper access control policies and procedures.

· Look out for unusual data flows.

· Have systematic IT security audits.

· Have plans, procedures in place for handling eventual data breaches.

· Have a contingency plan to deal with subject access requests and erasures.

· Controllers should not transfer personal data to Processors unless and until they have determined that the Processors have in place technical and organizational measures to protect the personal data.

Organizations must employ a finely balanced approach to managing these breaches i.e. both a risk based approach and a compliance based approach. Compliance teams, cybersecurity teams and data governance experts must offer effective and efficient leadership to enable teams identify and report personal data breaches.

Conclusion

As earlier noted, there isn’t an all-encompassing approach to managing personal data breaches. However, it is important that organizations cultivate a data protection and privacy culture that is deeply woven into the fabric of the entity so as to enable strategic management of personal data breaches. This will not only facilitate agility in identification of the breaches but also enhance mitigation efforts. Managing these breaches cannot be over emphasized. Not only because it is a compliance requirement but because failure to manage personal data breaches may result in criminal sanctions. The DPPA imposes a fine of Ugx 4,800,000 or imprisonment for 10 years or both for unlawfully obtaining or disclosing personal data. It is equally an offence to unlawfully destroy, delete, conceal or alter personal data with a penal sanction of a fine not exceeding Ugx 4,800,000 or imprisonment not exceeding 10 years or both. The author recommends that the Uganda legal system should develop guidelines to enable Data Controllers, Processors and Collectors benchmark when in doubt. In the interim, the European Data Protection Board guidelines regarding Data Protection Breach Notification may offer the much needed guidance.

The author is a Lawyer, Data Privacy Practitioner, Co- founder of ANJ Data Management Solutions (A) Ltd and a Member of the IAPP.