Applying the GDPR – Personal data breach notification
A personal data breach is a breach of information security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This definition means that a personal data breach is considerably more than merely ‘losing’ someone’s personal data.
This is a preview lecture from our online course ‘GDPR – In nutshell’, for the full course visit https://www.udemy.com/gdpr-in-a-nutshell/
Organisations need only inform the supervisory authority, i.e. the ICO in the UK, of a personal data breach, when that breach is likely to result in the risk to the rights and freedoms of individuals. The idea is, that such a personal data breach, if it was left unaddressed, is likely to have a significant detrimental effect on those individuals.
The sorts of examples given, include discrimination, damage to a person’s reputation, they might suffer a financial loss, they could lose confidentiality of information, or suffer some other significant economic or social disadvantage.
This means that the impact of a personal data breach must be assessed on a case-by-case basis. If your organisation was hacked and part of that hack was a loss of customer data records. If the information contained in those customer records meant that for the individual’s concerned, that they could suffer a financial loss you would need to notify this to the supervisory authority.
The key point is, for your organisation to determine on a case-by-case basis, whether the loss of personal data is significant enough to notify the ICO. Where there’s a high risk to the rights and freedoms of an individual, an organisation must notify the individuals concerned directly.
It’s up to the organisation to determine what constitutes a ‘high risk’. But, in informing the ICO of the data breach, the ICO might demand that you notify the data subjects directly. Overturning your organisation’s original risk rating. Let’s say that you do have a personal data breach.
The ICO want you to give as much information as possible. Typically, the information expected includes the categories and approximate numbers of individuals concerned with the breach. The categories and approximate number of personal data records concerned. The name and contact details of the data protection officer, if you’ve got one. Or, other contact points where from where more information can be obtained.
They’d also like a description of the likely consequences of the data breach. They want a description of the measures that your organisation’s taken or proposes to take, to deal with the data breach and, where appropriate, they’d like to know about the measures taken to mitigate any possible adverse effects on the data subjects. A notifiable breach must be reported within 72 hours of the organisation becoming aware of it. Imagine if you became aware of it at five o’clock on a Friday night, the weekend before a bank holiday! That could cause real problems. The GDPR recognises that it will often be impossible to fully investigate a breach within the stipulated time period. So, it allows organisations to provide information in phases. If the breach is sufficiently serious to warrant public notification, then an organisation must do so without undue delay.
If your organisation fails to notify the ICO of a personal data breach, it runs the risk of the penalties under technical non-compliance. Just to restate. This could end up in a fine of up to 10 million euros, or 2 percent of the organisation’s global turnover. A sensible approach might be for your organisation to prepare in advance of a data breach.
How could you go about doing this? Much of it is about internal awareness. Ensuring that staff understand what constitutes a personal data breach and it’s considerably more than simply ‘losing’ data.
Organisations can establish internal personal data breach reporting procedures in advance. Doing this requires a ‘no blame’ reporting culture. If your organisation has a blame culture it’ll be very difficult to get the required information gathered together within the stipulated timescales.
An internal personal data breach reporting procedure will aid an organisation’s decision-making process for notifying the ICO and/or whether it needs to go public with the data breach. Given the tight notification timescales, it’s important that your organisation implements robust breach detection, investigation and internal reporting procedures before any of these breaches occur. You wouldn’t want to simultaneously be dealing with the impact of a personal data breach whilst also trying to figure out the required notification process.
For more data protection training videos subscribe to the CHL channel https://www.youtube.com/channel/UCthdDUWBZrmnTOkmxwm5HKw
Questions about this course?
Start a conversation today email firstname.lastname@example.org