The data breach notification requirements of the EU GDPR (General Data Protection Regulation) are complicated, so it’s no surprise that many organisations aren’t sure what they’re supposed to be doing.
However, it’s crucial that you know what to do when disaster strikes. This blog explains everything you need to know in simple terms.
What is a personal data breach?
A data breach is any event in which the confidentiality, integrity and availability of information is compromised. Data doesn’t only need to be stolen to be breached; it might also have been lost, altered, corrupted or accidentally disclosed.
Data breaches can happen to any kind of information, but the GDPR is concerned only with personal data. The Regulation defines this as “any information relating to an identified or identifiable natural person”. In other words, any information that is clearly about a particular person.
This might be someone’s name, ID number, online identifier, etc., or a combination of details that can be pieced together to establish somebody’s identity.
What breaches do you need to notify the ICO about?
Personal data breaches that “pose a risk to the rights and freedoms of natural living persons” need to be reported to your supervisory authority. In the UK, this is the ICO (Information Commissioner’s Office).
This refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses.
How do you notify the ICO?
You can report a breach to the ICO over the phone or online. You will be expected to provide the following information:
- Situational analysis: Provide as much context as possible, including the initial damage (what happened), how it affected your organisation (what went wrong) and what caused it (how it happened).
- Assessment of affected data: Ascertain the categories of personal data and the number of records concerned.
- Description of the impact: Describe the consequences of the breach for affected parties. This will depend on the information that was compromised.
- Report on staff training and awareness: If the breach was a result of human error, did the employee(s) involved receive data protection training in the past two years? Provide details of your staff awareness training programme.
- Preventive measures and actions: What measures did you have in place before the breach to prevent incidents like this from occurring? What steps have you taken, or plan to take, to mitigate the damage?
- Oversight: Provide the contact details of your DPO (data protection officer) or the person responsible for data protection.
How much time do you have to report a breach?
Organisations must report a breach within 72 hours of discovery. The GDPR acknowledges that it will be hard to produce the necessary information within this timeframe, so you aren’t expected to provide comprehensive details.
How will you respond to a data breach?
A recent Ponemon Institute survey found that one in four organisations will fall victim to a data breach within the next two years. This means there’s a good chance you could suffer a similar fate to Uber. But will you be able to manage the process effectively or face harsh penalties that could have long-term effects?
Find out the best way to respond when disaster strikes by reading our free data breach survival guide. You’ll discover:
- The key questions the ICO will ask when you report a data breach;
- How to undertake effective data breach response management;
- The types of precautionary measures you need to implement to reduce the effects of a breach; and
- The six key steps you can take to ensure you meet the GDPR’s compliance requirements