Quantifying the Chaos: Assessing a Data Breach’s Risk to Individuals

“One of our suppliers has contacted us. They are investigating a serious security breach. Can you jump on a call?”

Words to make any DPO or compliance professional take a deep breath.

In this blog post, I’m going to focus on how you assess the risks to data subjects should the worst happen and your data is compromised.

First meeting; key questions

Often, the first meeting with internal teams is to establish the facts of what has happened.  What do they know from the supplier so far and what steps are being taken to contain the breach?

It’s important at this stage to start an incident log – start recording the time and date information became known. This will be essential when the incident is reviewed later. You could even appoint someone as an official incident record keeper.

The first question from senior leadership will be: “What is our risk? Do we need to report to the supervisory authority?”

This is where a lot of people get stuck, because the GDPR (General Data Protection Regulation) doesn’t give you a neat formula. Article 33 says you need to notify the supervisory authority within 72 hours unless the breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. That’s a judgement call, and it needs to be a defensible one.

So how do you actually make it?

Establishing the facts

Before you can assess any risk, you need to understand what you’re dealing with. In the early hours of an incident, information is almost always incomplete. That’s normal. You’re not waiting for perfect clarity – you’re working with what you’ve got and updating as you go.

The questions you need answers to (even if the initial answer is “we don’t know yet”):

• What data is affected? Names and email addresses are a different conversation to special category data, financial records or ID documents.
• How many individuals are affected? A breach involving 50 people and one involving 50,000 will require very different responses. But don’t fall into the trap of assuming small numbers mean low risk – 50 people whose medical records have been exposed are still facing serious harm.
• Who are the affected individuals and where are they based? Are they employees, customers, children or vulnerable people? The nature of the data subjects matters. If you’re an international organisation, it’s worth understanding where the data subjects are based as different jurisdictions have different reporting requirements and may carry more risk.
• What happened to the data? Was it accessed, exfiltrated, deleted, altered or simply exposed?
• Who has access to it now? Is the data in the hands of an unknown attacker or a known but unauthorised third party, or was it accidentally sent to the wrong recipient who has confirmed they’ve deleted it?
• Is the data encrypted or otherwise protected? If the compromised data was encrypted to a strong standard and the keys weren’t also compromised, that changes your risk picture. This is one of the few factors that can move a breach from reportable to not reportable.
• Has the breach been contained? Is the vulnerability still open? Is data still being accessed? Containment status affects both immediate risk and your obligations around mitigating further damage.
• Are you the controller/joint controller or a processor? Understanding your responsibilities will dictate your reporting requirements and what you do next.

Analysis of aggravating and mitigating factors

Once you’ve gathered this information, it can be helpful to analyse it in terms of what’s making the situation better and what’s making it worse.

Aggravating factors might include:

• The data was unencrypted;
• The breach went undetected for an extended period;
• The data is highly sensitive or includes special categories;
• The affected individuals are vulnerable;
• The data has been published online or is in the hands of a malicious actor; or
• There’s evidence the data has already been misused.

Mitigating factors might include:

• The data was encrypted and keys weren’t compromised;
• The breach was contained quickly;
• The recipient has confirmed deletion;
• The data is limited in scope or unlikely to be useful on its own; or
• You have strong evidence that no unauthorised access actually occurred.

It’s important that you’re honest and factual here – don’t try to make something look better than it is. You may also need to draw on expertise from colleagues in cyber security or staff who are more familiar with the data set.

Assessing the risk to individuals

Now you’re assessing risk to the people whose data has been compromised. Put yourself in their shoes. If your data had been exposed in this way, what could happen to you? It’s also important to consider if the impact would be different if the data subject has any protected characteristics. Someone who is vulnerable may face additional risks and something that is merely embarrassing to an organisation could be devastating to an individual.

The European Data Protection Board’s guidelines on personal data breach notification (Guidelines 9/2022) are a good resource here. They set out the types of harm to consider:

• Physical harm
  Could someone be put at physical risk? This is most relevant in cases involving location data, children or vulnerable people, domestic abuse situations, or witness protection scenarios.
• Material harm
  Financial loss, identity theft or fraud. If bank details, ID documents or enough personal data to open accounts in someone’s name have been compromised, this risk is real and immediate.
• Non-material harm
  Distress, reputational damage or discrimination. Health data being exposed could lead to stigma. Employment records in the wrong hands could affect someone’s career. Even the anxiety of not knowing who has your data is a recognised harm.
• Loss of control over personal data
  This is a harm in itself. If people can no longer control who has access to their information, that’s a rights infringement regardless of whether anything ‘bad’ happens next.

Recording risks

At this point it’s worth documenting each risk, the detail behind it and the likelihood of the risk occurring. This will give you your assessed risk level.

Some examples of recorded risks could be:

• RR001: Risk of identity fraud
  Compromised data includes full names, dates of birth and official identification documents, which in combination with a proof of address could be used to open fraudulent accounts. Risk level: High.
• RR002: Risk of targeted phishing
  Email addresses combined with knowledge of the data subjects’ relationship with the organisation could enable convincing social engineering attacks. Possible mitigations include informing the data subjects to be aware of suspicious emails Risk level: Medium.
• RR003: Risk of distress
  Data subjects may experience anxiety knowing their personal data has been accessed by an unauthorised party. However, this is limited as the individual is a medical professional who understands the information is confidential. Risk level: Low.

Risk statement

This is your overall conclusion – the narrative that pulls everything together. It should state clearly whether the breach is likely to result in a risk (or high risk) to the rights and freedoms of the affected individuals, and therefore whether you need to report to the supervisory authority and/or notify individuals directly.

Remember the two thresholds: under Article 33, you report unless the breach is unlikely to result in a risk. Under Article 34, you notify individuals if the breach is likely to result in a high risk. If you decide not to report, you must still document the breach and your reasoning internally under Article 33(5).

A good risk statement is concise but defensible. It references the key facts, acknowledges what’s still unknown and explains the reasoning behind your decision. Don’t be afraid to state that residual uncertainty exists – the GDPR doesn’t require certainty; it requires a reasonable assessment based on what you know at the time.

A final thought

Incident risk assessments are a skill you develop through preparation, practice, and – unfortunately – experience.

The organisations that handle breaches well aren’t the ones that never have them. They’re the ones that have thought about their response before the phone rings and created a culture where staff feel comfortable reporting breaches.

If you haven’t run a tabletop exercise with your incident response team recently, that’s a good place to start. Simulate a supplier breach. Walk through the assessment process. Find out where the gaps are before a real incident finds them for you.

Because it’s not a question of if. It’s when.

How GRC Solutions can help

Make sure you’re prepared for the worst happening. Get in touch today to learn how to build data breach response capabilities with support from the experts.

About the author

Emma Young is a senior data privacy consultant at GRC Solutions, with experience across healthcare, defence, regulated utilities, aviation and global consultancy. She holds a portfolio of governance and compliance credentials including CIPM, Europrivacy Auditor, ISO 42001 and ISO 27001 Implementer. Emma specialises in data protection and AI governance, advising clients and senior leadership on navigating complex regulatory landscapes with confidence.