GDPR: Personal Data Breaches
What is a personal data breach?
A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Some examples of personal data breaches can be:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission; and
- loss of availability of personal data.
Preparing for a Personal Data Breach
An organisation should know how to recognise a personal data breach – Yahoo, for example took two years to identify and disclose the loss of three billion users records, and are subject to numerous lawsuits for damages. A response plan should be prepared to address any personal data breaches that occur, and responsibility for managing breaches should be allocated to a person or team, depending on the size of the organisation and determine whether a breach has occurred.
Responding to a Personal Data Breach
Organisations should have a process in place to assess the likely risk to individuals of a breach and would need to know who the relevant supervisory authority for processing activities is. There should be a process in place to notify the ICO of a breach within 72 hours of being made aware of it, even if not all details have been obtained by the 72-hour mark. Individuals affected by the breach must be informed without undue delay, and organisations must know what information about the breach to provide to individuals. All breaches should be documented even if they don’t all need to be reported.
With all of this considered, organisations must understand that a personal data breach is not only about the loss or theft of personal data. A breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. This would need to be assessed case by case.
What Happens if we Fail to Notify?
Failing to notify a breach when required to do so can result in a significant fine up to 10 million euros or 2 per cent of your global turnover. The fine can be combined the ICO’s other corrective powers under article 58. So, it’s important to make sure you have a robust breach-reporting process in place to ensure you detect and can notify a breach on time; and to provide the necessary details.
Experiencing a breach of personal data can cause serious damage to any organisation. Our mission is to help you prepare for and combat data privacy issues.
ilicomm have over 25 years of delivering cost effective information security and regulatory compliance solutions. Contact us to discover how we can ensure your business’s security is at its most efficient and cost-effective.
Find out which packages are suited to you…