• Robert Bell

Personal Data Breach: What do you need to consider under GDPR?


With many changes to our working practices on the horizon it’s easy to forget the importance of understanding what to do when things go wrong. There are specific requirements in GDPR setting out what we should do if we have caused a “personal data breach”, none more obvious than the need to report it within, ideally, 72 hours.

First let’s consider the definition of a Personal Data Breach: “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are a result of both accidental and deliberate cause. It also means that a breach is more than just about losing personal data.”

Firms have a duty to report certain types of data protection breaches to relevant authorities within 72 hours of when the firm is first aware of the breach. However, we are not obliged to report all breaches, so what should we do to understand whether the requirement applies to us or not. Well, when a breach has occurred you should:

  • Establish the likelihood that the breach will impact an individual’s rights and freedoms

  • Establish the severity the breach could have on an individual’s rights and freedom

  • If there is a risk the breach is likely to have a severe impact on the individual’s rights and freedom, this must be reported in accordance to the 72 hours timeline

  • You must inform the individuals affected without unnecessary delay

  • Ensure you keep a record of all personal data breaches

In the event of a breach, when considering the likelihood and severity on an individual’s rights and freedom, you must ensure you assess:

  • The result of physical damage

  • The result of material or non-material damage of their loss of control on their data

  • Any possible discrimination

  • The possibility of identity theft or fraud

  • Possible financial loss

  • Any damage to reputation

  • Loss of personal data protected by professional secrecy

  • Social disadvantage to the person concerned

Examples of personal data breaches, could be:

  • Personal data has been given to an unauthorised third party, either company or individual

  • Personal data has been sold, for example on the dark web for a profit

  • Personal data has been sent to an incorrect individual

  • Personal data has been altered intentionally or unintentionally

The rules are now quite clear, if you have yet to establish you GDPR processes in relation to data breaches you should consider the following:

  • Can you recognise a personal data breach in accordance to the definition?

  • Has your firm established a process in the event of a breach?

  • Have you updated existing breach reporting processes?

  • Who has responsibility for managing personal data breaches?

  • Have staff received sufficient training to recognise and report a potential breach?

  • Have you identified the authorities you will need to report the breach to?

  • Is your firm aware of the timescales?

  • When sharing data with a supplier, you must be authorised to do so

The above are just some steps you could take to get GDPR ready, but first of all consider completing our very short course on GDPR which covers all of the GDPR requirements you need to know (not just data breaches), you can sign up to the Essentials course for FREE or pay £75 for a more in-depth All Stars course.

#databreach #processes #policies #GDPR

Conduct Rules Training

Training courses to comply with the FCA's annual training requirement

Compliance Resource Library

Download our FCA Guidance, SM&CR and GDPR Compliance Resources

© 2020 by RB Compliance Consultancy Ltd.

Registration No: 07904749.  All rights reserved. 

Created by Michelle Lucherini Marketing