Venues required by law to record contact details Recording Contact Details The Governments’ new requirements for businesses mean that premises…
On Thursday 19 July 2018 the ICO hosted a webinar on Data Breach Reporting. It was aimed at Data Controllers and provided advice and guidance on how and when to report security breaches to the ICO, following the introduction of the General Data Protection Regulation (GDPR), on 25th May 2018. Click here to download our free 11 Step GDPR E-book.
The General Data Protection Regulation (GDPR) introduces a duty to report certain types of personal data breaches to the Information Commissioner’s Office, (ICO), within 72 hours of becoming aware of the breach. Failure to do so may result in a fine of up to 10 million euros or 2 per cent of your global turnover.
This means that you must implement robust measures that will enable you to detect, investigate and report personal data breaches, and assess if they require formal reporting to the Information Commissioner or those individuals to whom the personal data breach relates.
The GDPR defines a personal data breach as “….a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
This includes breaches that are the result of accidental or deliberate causes. It also means that a breach is more than just about losing personal data.
To assist the identification of a data breach, the ICO considered three specific types of data breach, whilst recognising that in practice a breach may include elements of more than one of these.
It is the responsibility of the Data Controller to put in place suitable measures that will not only protect personal data from breaches, but identify breaches if they occur, and provide an appropriate response to the breach. The Data Controller becomes aware that a breach has occurred when there is a reasonable degree of certainty that a security incident has led to personal data being compromised.
Not all data breaches are required to be reported to the Information Commissioner. The Information Commissioner’s Office must be informed if the breach is likely to result in a risk to the rights and freedoms of an individual, for example, discrimination, damage to reputation, financial loss, loss of confidentiality or other economic or social disadvantage. This should be assessed on a case by case basis.
Furthermore, where a breach is likely to result in a “high risk” of adversely affecting an individual’s rights and freedoms, you must notify the individual directly.
When assessing these risks, you should consider a combination of the severity and the likelihood of the potential negative consequences of a breach. Factors to consider include:
Notifiable breaches must be reported to the ICO without undue delay, and not later than 72 hours after becoming aware of it, where feasible. The 72 hours include weekends, evenings, and bank holidays, and if you take longer than this you must provide a reason for the delay.
Where the personal data breach is assessed as a risk to individuals, you must describe the nature of the personal data breach including, where possible, the categories and an approximate number of data subjects concerned, and the categories and an approximate number of personal data records concerned. In addition, you should inform the ICO of:
If the breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR requires you to provide this information, in clear and plain language, to those concerned, directly as soon as possible.
Regardless of whether you inform the ICO and/or the individual, you should properly document your risk assessment and decision-making process.
If you decide not to notify individuals, the ICO has the power to compel you to inform the affected individuals if they consider there is a high risk.
To meet the requirements of the GDPR in respect of personal data breach management and reporting you should have in place the following measures:
These measures should be supported by documented policies and procedures.
If you would like any further information, please contact our Data Protection Offices (DPO) on 01295 477 250 alternatively you can email email@example.com.