Breach notification
In the event of a security incident, the GDPR states that you should find out as quickly as possible whether a personal data breach has occurred. If a personal data breach has occurred, it should be reported as soon as possible to the information commissioners office (ico), and to the data subject. You should also document all decisions made during this time.
What is a personal data breach?
A personal data breach is a security incident that affects the confidentiality and integrity of your personal data. This type of incident can lead to the accidental or unlawful loss of personal data as well as unauthorised disclosure and access to personal data.
What breaches must be reported?
When there has been a breach of personal data, it must be quickly established whether the breach will result in a high risk to the data subject’s rights and freedoms. When this is the case, it should be reported to the supervisory authority (ico). If the breach isn’t deemed to be of a high-risk nature to the data subject, then it doesn’t have to be reported. However, this decision must be documented along with justification for not reporting it.
Breaches to personal data could result in:
→ discrimination
→ identity theft
→ fraud
→ financial loss
These consequences could have adverse effects on the data subjects, which include:
→ emotional distress
→ physical damage
→ material damage
All data breaches must be assessed on a case by case basis looking at all relevant factors so that appropriate steps can be taken.
When to report?
The GDPR states that organisations must report any data breaches to the ico without any undue delay within 72 hours. Reports to the ico should include:
→ a thorough description of the breach
→ the name and contact information of the organisation reporting the breach
→ information about the likely consequences of the breach
→ a report of the steps taken to address the breach
All breaches must be recorded, and data subjects must be informed so that they can take necessary measures to protect themselves. When notifying the data subject, you must include:
→ a contact point
→ information about the likely consequences
→ a report of the steps taken to address the breach.
How should a company respond?
In the event of a breach of data, companies must address the situation and comply with the gdpr. When submitting a report to the supervisory authority, a thorough assessment of the breach must be made. By doing this, companies can identify how data breaches may have occurred, and steps they can take to prevent them.
When there is a breach in data security, most often it is a result of human error. This can be caused by a lack of data protection training and a lack of understanding of data security.
Once companies have identified breaches and how they have occurred, they must take steps to remedy the cause. Things that companies can do to avoid data breaches are:
→ ensure computer software is up to date
→ install security software on company computers
→ enforcing policies and procedures (such as an information security policy)
→ staff training on data protection
Summary
In this module, we have looked at the rights of the data subjects according to the GDPR. We have also looked at how these rights can be compromised by data breaches. The key things we have learnt are:
How we are all data subjects, and what everyday actions can result in us providing personal data to third parties.
The individual rights of the data subject and when these rights apply such as right to access and right to erasure.
What happens when there is a breach of data security and how it could potentially affect the integrity of an individual’s data.
What breaches should be reported and that all breaches must be reported within 72 hours.