Personal Data Breach: What do you need to consider under GDPR?
With many changes to our working practices on the horizon it’s easy to forget the importance of understanding what to do when things go wrong. There are specific requirements in GDPR setting out what we should do if we have caused a “personal data breach”, none more obvious than the need to report it within, ideally, 72 hours.
First let’s consider the definition of a Personal Data Breach: “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are a result of both accidental and deliberate cause. It also means that a breach is more than just about losing personal data.”
Firms have a duty to report certain types of data protection breaches to relevant authorities within 72 hours of when the firm is first aware of the breach. However, we are not obliged to report all breaches, so what should we do to understand whether the requirement applies to us or not. Well, when a breach has occurred you should:
Establish the likelihood that the breach will impact an individual’s rights and freedoms
Establish the severity the breach could have on an individual’s rights and freedom
If there is a risk the breach is likely to have a severe impact on the individual’s rights and freedom, this must be reported in accordance to the 72 hours timeline
You must inform the individuals affected without unnecessary delay
Ensure you keep a record of all personal data breaches
In the event of a breach, when considering the likelihood and severity on an individual’s rights and freedom, you must ensure you assess:
The result of physical damage
The result of material or non-material damage of their loss of control on their data
Any possible discrimination
The possibility of identity theft or fraud
Possible financial loss
Any damage to reputation
Loss of personal data protected by professional secrecy
Social disadvantage to the person concerned
Examples of personal data breaches, could be:
Personal data has been given to an unauthorised third party, either company or individual
Personal data has been sold, for example on the dark web for a profit
Personal data has been sent to an incorrect individual
Personal data has been altered intentionally or unintentionally
The rules are now quite clear, if you have yet to establish you GDPR processes in relation to data breaches you should consider the following:
Can you recognise a personal data breach in accordance to the definition?
Has your firm established a process in the event of a breach?
Have you updated existing breach reporting processes?
Who has responsibility for managing personal data breaches?
Have staff received sufficient training to recognise and report a potential breach?
Have you identified the authorities you will need to report the breach to?
Is your firm aware of the timescales?
When sharing data with a supplier, you must be authorised to do so
The above are just some steps you could take to get GDPR ready, but first of all consider completing our very short course on GDPR which covers all of the GDPR requirements you need to know (not just data breaches), you can sign up to the Essentials course for FREE or pay £75 for a more in-depth All Stars course.