The GDPR introduces mandatory obligations on controllers to notify personal data breaches to the Information Commissioner’s Office (‘ICO’) and to individual data subjects in certain circumstances. There is also a requirement to keep internal records of any personal data breaches that occur within your organisation, regardless of whether they meet the threshold for notifying the ICO and data subjects. Bearing in mind a personal data breach can be anything from an email containing personal data being sent to the wrong recipient to a full-scale cyber security attack, this will be quite an undertaking.
The timescale for notifying the ICO, if you need to, is extremely tight - just 72 hours from when you become aware of the breach. This is not much time to:
- Ensure the right people in your organisation are made aware of the breach;
- Identify the nature and scope of the breach;
- Determine whether any security measures can be used to contain and/or mitigate the effects of the breach, and deploy them;
- Determine whether the breach has resulted in any risk to data subjects; and if so
- Whether that risk is sufficiently serious to warrant mandatory notification of the ICO and the data subjects themselves;
- Prepare your notification to the ICO.
Our action point for this month therefore is to get a data breach reporting team in place. Depending upon the size and nature of your organisation this is likely to include the person or people with responsibility for operations, compliance, IT and legal and of course your Data Protection Officer or equivalent if you have one. You should also have a Data Breach Reporting Policy to ensure your organisation can respond efficiently and effectively to any personal data breach (if you would like a quote for a Data Breach Reporting Procedure please click here).
It is also a good opportunity to start reviewing your security provision generally. Under the GDPR controllers are required to ensure the appropriate security of personal data, including protection against unauthorised or unlawful processing, against accidental loss, destruction or damage using appropriate technical or organisational measures. This exercise will be wider than merely checking your IT security provision, and should encompass building security, the security of paper files and portable electronic devices (particularly where employees are entitled to use their own portable electronic devices for work). You may need a "Bring Your Own Device" Policy in these circumstances, if you would like a quote for a "Bring Your Own Device" Policy please click here).
If you would like any further information about the GDPR and how it might affect your organisation, please download our Geldards Guide or if you would like to discuss how Geldards can help with training on the GDPR, please do not hesitate to contact our Information Law Team.
INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>