10 September 2019

Data protection – breach logs

After a year of the General Data Protection Regulation (GDPR) we have been asked some interesting questions around data breach recording and what information needs to be kept on breach logs. To assist with this, we have put together some quick pointers to help you ensure that you are using and updating your breach log correctly should a breach arise.

Keep enough detail

The number of breaches being reported to the Information Commissioner’s Office (ICO) is putting significant pressure on its case handling teams and it can take six months or longer for the ICO to come back to a data controller who has made a breach report to ask for additional information. It is important, therefore, to ensure that you record enough information in breach logs or investigation documents to help you deal with these queries, even if some time has passed and the staff involved have moved to other roles.

Use of personal data in breach logs

Sometimes it can be useful to record personal data in the breach log and this will often fall within the legitimate interests condition for processing. However, before doing so you should consider data minimisation – in other words check that it is actually required.
For example it may be legitimate to hold details of individuals involved (either data subjects or staff involved in investigations), but less legitimate to hold a full copy of the compromised data (particularly if your breach log is on a less secure system than the system which was compromised). You should also consider how long you need to retain this information for and what level of security is appropriate.

Retention Periods

GDPR says that breaches should be documented, but is not clear about how long these records should be held for. In addition, the information held in breach logs may need to be revisited from time to time. For example, if a breach was not notifiable because the data was protected by encryption, but it is subsequently discovered that the method of encryption is vulnerable, it may need to be reported at that point. You will need to consider how long the breach record is held for to enable you to do this – this may depend on the sensitivity of the data and the level of risk that it may be compromised in the future, as well as the likelihood of the ICO looking into the breach.

Data subject’s right of access - a hindrance or a hidden opportunity?

Under data protection legislation, individuals have the right to access their personal data held by a data controller by making a subject access request (SAR).

Although this right existed previously, the introduction of the much-publicised General Data Protection Regulation (GDPR) and the Data Protection Act 2018 have seen an increasing trend in the use of SARs.

Recent case law has established that an individual’s motivation in exercising their SAR rights has little impact on an organisation’s obligation to properly consider and respond to the request. As a general rule, organisations should respect a SAR, irrespective of any suspicions that may exist regarding the motivation for the request.

Despite all the noise around the introduction of the GDPR, it remains commonplace for organisations to have a lack of processes in place for searching, gathering and considering personal data relevant to a SAR, which presents predictable challenges when seeking to comply with the new one-month response timeframe.

Developing processes from scratch, whilst responding to a SAR, inevitably leads to a reduction in time and resources to actually deal with the request. This, coupled with the fact that many data controllers misjudge the time and resources required to respond to a SAR, means that organisations are often hindered by starting on the back foot.

Preparations or actions which reduce the hassle or time in responding to a SAR can only be a good thing. Developing an understanding of what personal data is held, where it is stored and processed, and how searches can be carried out effectively is highly recommended, as is developing standard practice procedures for handling and even recognising SARs. The latter is particularly significant. As there is no statutory form which a SAR must take, it is down to the data controller organisation to ensure its personnel will be able to recognise correspondence as a SAR.

Although pre-prepared checklists should rarely be cast in stone, having policy documents setting out the types of searches that will be performed, as well as prompts of keywords and search criteria can prove invaluable in achieving compliance with statutory requirements and timeframes.

Flexible procedures are just as valuable. Where requests are simple and minimal data is involved, it is likely to be straightforward for a single individual to review the personal data and prepare the statutory response. In more complex situations (for example, where the request is made in the context, or with the potential, of litigation) or where a substantial volume of data is returned, heightened plans should exist. A clear plan provides data controllers with a greater chance of complying with their statutory obligations and allows them to positively handle SARs when they arrive, rather than being reactive and losing valuable time whilst figuring out what to do.

In recent months, we have begun seeing more organisations positively differentiate themselves from competitors through their approach to data subject rights, including in the way that they approach SARs. Although increased penalties under the new legislation looming over organisations like the ‘Sword of Damocles’ may have acted as a motivation for some, it is apparent that many are realising the value to be derived from proactively establishing processes that build trust and enhance relationships with data subjects.