Recovering from a data breach

One of the biggest changes being brought in by the General Data Protection Regulation relates to what needs to be done when there is a data breach.

The most serious breaches will need to be reported to members, as well as to the ICO

While steps can be taken to avoid data breaches, they can still happen to even the best-prepared trustee board. For a pension scheme, a breach could range from a minor mistake, such as sending a benefit statement to the wrong member, to a catastrophic hack, for example scheme membership data leaked onto the internet.

Different steps will need to be taken to recover from a data breach, depending on how serious the breach is, and trustees should plan ahead to make sure they are prepared for the new requirements. Not complying could potentially lead to significant fines.

From May 2018, all personal data breaches – no matter how trivial – will need to be logged in the trustees’ data breach log.

The entry will need to set out the facts behind the breach, the effects on members and what remedial action has been taken. If trustees do not currently have this type of log they should put one in place before May 2018.

Reporting breaches 

More serious breaches will need to be reported to the Information Commissioner’s Office, the UK's independent body set up to uphold information rights.

The GDPR says that if a breach will need to be reported it is likely to result in a “risk to the rights and freedoms of individuals”.

This wording is vague, but the EU has published guidance to help work out when breaches will need to be reported. Broadly speaking, where the breach is likely to have a significant detrimental effect on a member, such as potentially leading to identity theft, for example, then a report to the ICO will need to be made.

It is probably a good idea to take legal advice if it is not clear whether the breach falls into this category. The timeframes for reporting to the ICO are tight, and a report will generally need to be made within 72 hours of trustees becoming aware of the breach, although follow-up information can be reported later.

When to make members aware

The most serious breaches will need to be reported to members, as well as to the ICO – although this only applies to breaches which result in a “high risk to the rights and freedoms of individuals”, and is a higher threshold than for notifying the ICO.

Notifications to members will have to be made “without undue delay”, but there is no fixed time limit in the GDPR – so again it might be sensible to ask the scheme’s legal advisers to confirm whether the breach falls within this category.

Other practical steps

Aside from the reporting requirements, trustees should consider other practical steps to manage breaches:

• Do they have insurance which might offset the cost of investigating and reporting the breach?

• How will trustees manage reputational damage and media reports?

• Is there resource within the sponsoring employer that could assist in breach management?

In a recent blog, Elizabeth Denham, information commissioner, set out how she thinks controllers should approach data breaches.

Though she acknowledges that the GDPR raises standards for data controllers, Denham makes clear that the ICO will only issue fines in a proportionate way.

Fines can be avoided if trustees are open and honest about breaches and report without undue delay. 

While we all want to avoid a data breach happening in the first place, establishing robust processes and complying with the GDPR’s requirements will help to manage the risk.

Oliver Topping is an associate at law firm Sackers