The General Data Protection Regulation (GDPR) introduces a duty on all Data Controllers and Data Processors to record and report certain types of Personal Data breach. The GDPR is a European Union law but has international scope.
This Royal Jordanian (RJ) policy sets out the key legal elements and considerations of responding to a Personal Data breach, principally the obligation to notify Supervisory Authority and/or data subjects in accordance with the GDPR.
In order to ensure the policy is accessible and easy to understand, it has been set out in the form of a Q&A. A flow chart of the steps to take following a Personal Data breach can be found at Schedule 1.
This policy uses the following terms:
Data Controller: the person or organisation that determines when, why and how to Process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. RJ is the Data Controller of all Personal Data it collects from Data Subjects.
Data Subject: an identified or identifiable individual about whom RJ holds Personal Data (e.g. all employees, workers, consultants, customers, passengers and clients).
Data Processor: the person or organisation that processes personal data on behalf of the Data Controller (e.g. third-party suppliers and service providers used by RJ).
Data Protection Officer: RJ has appointed a Data Protection Officer (DPO) whose responsibilities include monitoring RJ’s compliance with the GDPR and notifying the Supervisory Authority about any Personal Data breach. The DPO can be contacted on firstname.lastname@example.org.
Personal Data: any information identifying a Data Subject or information relating to a Data Subject who can be identified (directly or indirectly) from that data alone or in combination with other identifiers. Personal Data includes Sensitive Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal Data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour.
Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Supervisory Authority: the independent public authority responsible for monitoring the application of the GDPR in each European member state. The UK Supervisory Authority is the Information Commissioner’s Office (ICO) which RJ has elected to appoint as its Supervisory Authority.
A Personal Data breach is any security incident which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. This includes breaches which are the result of either accidental or deliberate causes.
When RJ experiences any security incident, it must quickly establish whether or not a Personal Data breach has occurred. Personal Data breaches can include:
In summary, a Personal Data breach occurs whenever any Personal Data is lost, destroyed, corrupted or disclosed; accessed or transferred without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed. Any RJ employee who is unsure of whether or not a Personal Data breach has occurred should contact the DPO for guidance.
Any RJ employee who becomes aware that a Personal Data breach has (or may have) occurred must immediately report it to their manager and to the DPO who will investigate the incident to identify RJ’s next steps as set out below.
The DPO should record all Personal Data breaches in a data breach log, regardless of whether or not they determined to be serious enough to be notified to the Supervisory Authority and/or to Data Subjects.
The data breach log should record all facts relating to the breach, including how and when it occurred, how and when it was discovered, the categories of Personal Data affected, the categories of Data Subjects affected, and any remedial action taken. The Supervisory Authority has the power to require RJ to provide details of any previous Personal Data breaches and what action was taken, which is why this log is essential.
As with any security incident, the DPO should investigate each Personal Data breach to identify whether or not it was a result of human error or a systemic issue, and to see how a recurrence can be prevented through better processes, further training or other corrective steps.
If the DPO, in consultation with RJ’s senior management and legal advisers, decides that the Personal Data breach is likely to result in a risk to Data Subjects’ rights and freedoms, the DPO must notify the Supervisory Authority.
The notification must be made without undue delay and in any event no later than 72 hours after RJ becoming aware of the breach. If the delay is longer than this, the DPO will need to explain the reason for the delay.
If the DPO, in consultation with RJ’s senior management and legal advisers, decides that the Personal Data breach is not likely to result in a risk to Data Subjects’ rights and freedoms, for example if misplaced electronic data is encrypted and cannot be accessed, the DPO does not need to notify the Supervisory Authority.
However, the DPO must still record details of the breach, including what action was taken to remedy it and why it was not notified to the Supervisory Authority, in a data breach log which the Supervisory Authority may inspect upon request.
To establish whether or not RJ has an obligation to notify the Supervisory Authority, the DPO must assess the likelihood, severity and potential impact of the risk to Data Subjects. In doing so, the DPO should consider:
When determining the severity of consequences for Data Subjects, the DPO must consider whether the Personal Data breach may cause them any disadvantage or damage such as limitation of their rights, discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality or any other significant economic or social disadvantage.
For example, a Personal Data breach which is unlikely to result in a risk to Data Subjects is where the data is already publically available. By contrast, the theft of a customer database which may be used to commit identity fraud, would need to be notified both to the Supervisory Authority given the potential financial impact on the affected Data Subjects.
The GDPR recognises that it will not always be possible to investigate a Personal Data breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. In such circumstances, the DPO must provide the initial notification to the Supervisory Authority within 72 hours but can submit further information as soon as possible thereafter.
If it is known on notification that full information will not be available within 72 hours, the DPO should explain the delay to the Supervisory Authority and indicate when further information is likely to be submitted.
If Personal Data Breach has occurred, the DPO must notify the Supervisory Authority within 72 hours as explained above.
The ICO can be notified of a Personal Data breach by telephone on 00 44 303 123 1113, by email at email@example.com, or alternatively by consulting RJ’s legal advisers as to the procedure and content of the notification.
When reporting a breach the following must be provided:
It is essential for RJ to comply with its obligations under the GDPR, including reporting any Personal Data breach to the Supervisory Authority and, in the circumstances explained below, to the affected Data Subjects.
If RJ fails to notify a breach promptly, the Supervisory Authority has the power to impose very significant fines of up to €20m or 4% of annual global turnover (whichever is greater) in the case of serious breaches, or up to €10m or 2% annual global turnover (whichever is greater) in the case of less serious breaches.
If the DPO, in consultation with RJ’s senior management and legal advisers, decides that the Personal Data breach is likely to result in a ‘high risk’ to the rights and freedoms of Data Subjects, those affected must be informed directly and as soon as reasonably possible. One of the main reasons for informing Data Subjects is to enable them to take steps to protect themselves from the effects of a breach.
Whether or not Data Subjects should be notified will depend on the circumstances of the breach. For example, if the affected data was securely encrypted and the key has not been compromised, this would represent a very low risk and may not require notification to Data Subjects. However, if there are no backups of the affected data and it is therefore irretrievably lost, this could still have negative consequences for Data Subjects which might require RJ to notify them.
A ‘high risk’ means the threshold for informing Data Subjects is higher than for notifying the Supervisory Authority. Again, both the severity of the potential or actual impact on Data Subjects as a result of a breach and the likelihood of this occurring must be assessed.
If the impact of the breach is more severe and/or the likelihood of consequences is greater, the risk will be higher. In such cases, the affected Data Subjects will need to be promptly informed so that the immediate risk of damage can be mitigated.
There is a presumption of a high risk to Data Subjects where the affected data is a ‘special category’ of Personal Data, such as information about a Data Subject’s health or biometric data (where used for ID purposes). This is because such data is more sensitive and warrants more protection.
If the DPO, in consultation with RJ’s senior management and legal advisers, decides that Data Subjects need not be notified, the DPO will still need to notify the Supervisory Authority unless it can be demonstrated that the breach is unlikely to result in a risk to Data Subjects’ rights and freedoms. In any event, the decision-making process should be recorded in a data breach log as set out above.
RJ will need to inform the affected Data Subjects about the breach in clear and plain language and provide the following information:
In practice, the Supervisory Authority may assist a RJ in identifying what information should be communicated to Data Subjects.
Targeted messages should be sent to Data Subjects about breaches (i.e. they should not be "buried" in other communications). Press releases or general media statements are unlikely to be seen as effective notifications unless there are no other means of contacting the affected Data Subjects individually. RJ may also wish to suggest to the affected Data Subjects any steps they can take to mitigate the impact of the breach (e.g. password changes and credit record monitoring).
RJ should be aware that there may be additional notification obligations under other laws or regulations regarding a Personal Data breach. Third parties such as the police, insurers, professional bodies, or bank or credit card companies which can help reduce the risk of financial loss to Data Subjects may also need to be notified.
If a Personal Data breach occurs to data which is in the control of a Data Processor, that Data Processor must inform RJ as soon as it becomes aware of the breach. The DPO should then investigate the breach to assess the risk to Data Subjects as outlined above in order to determine whether it needs to notify the Supervisory Authority and/or the affected Data Subjects.
For example, if a third-party IT services provider which archives and stores passenger records on behalf of RJ suffers a cyber-attack which results in those records being unlawfully accessed, the IT firm must promptly notify RJ that the breach has taken place and RJ must take appropriate action.
In the event of a Personal Data breach, the Supervisory Authority may ask RJ to outline the security measures and compliance it had in place. In order to avoid potential Personal Data breaches, the following should be considered:
RJ as Data Controller should audit and map the Personal Data it is processing. In particular, it should identify what Personal Data is being processed, what systems are used and where the data is stored. These internal records of Processing could help identify which data has been compromised, which Data Subjects are affected, and help the DPO to make a swift assessment of whether an incident qualifies as a Personal Data breach and requires immediate action.
The systems and procedures in place to manage Personal Data breaches should be tested regularly to identify and remedy any vulnerabilities. Ideally, these systems should be tested in “live incident” simulations involving relevant RJ management personnel including legal advisers, communications functions and those involved in advising on reputational risk regarding the breach response.
It is common to experience "near misses", meaning threats to data which fail to result in an actual Personal Data breach. These near miss situations should be learnt from. They should feed back into preparations for breach response, and above all be used as a basis to reassess the adequacy of the measures adopted.
Where there is a joint controllership arrangement (e.g. with a code-sharing airline) the joint Data Controllers should determine, in advance, which of them is responsible for Personal Data breach notifications to ensure a fluid response to any security incident.
Schedule 1 – Personal Data Breach Flow Chart.