Blog, news & updates

GDPR – What should happen after a data breach?

what should happen after a GDPR data breach?

The countdown has begun – in 6 months’ time, the GDPR will be in full force in the UK. It imposes tough new rules on how organisations should collect, use, and store people’s personal data – as well as giving the public greater rights over who gets to see that data, and what they can do with it.

Data Breaches

The GDPR brings in a lot of new changes to the way personal data can be handled – one of the biggest differences is what needs to be done after a data breach. A breach is defined as the unauthorised destruction, loss, alteration, disclosure or accessing of people’s personal data, whether intentional or accidental. If a breach is likely to cause a risk to people’s rights and freedoms, it needs to be reported to the supervisory authority – in the UK that’s the Information Commissioner’s Office (ICO). If the threat to people’s rights is particularly severe then the people at risk need to be notified directly. In both cases, this needs to be done within 72 hours of finding out about the breach.

Let’s consider a few examples: Suppose a company has a list of staff members’ names and telephone numbers saved on a laptop. Whilst working, somebody accidentally deletes this information. This is annoying and may take some time to rectify, but it’s unlikely to cause any serious harm to anyone, and nobody’s rights are at risk – so, it doesn’t need to be reported.

But what if that file was saved on a memory stick, and that memory stick was stolen from a public place? The risk here is more severe – the data could be sold, or disseminated against the people’s wishes. In this case, a data breach notice should be sent to the ICO.

Now imagine that list contains names, phone numbers and bank account details. This time the threat is severe. Anyone nefarious enough could use that information to empty all the money from their bank accounts or steal their identity. In this case, both the ICO and the people at risk should be contacted within 72 hours.

Data Breach Notification

Every Data Breach Notification will be slightly different, but should at least contain:

  • The nature of the breach;
  • The name and contact details of the Data Protection Officer;
  • A description of the likely consequences of the breach; and
  • A description of any measures taken, or proposed to be taken, to deal with the breach.

Penalties for non-compliance

Uh oh! There’s been a data breach.

You’ve spent the last week scrabbling around trying to minimise the damage. You’ve been so busy, in fact, that you’ve completely forgotten to notify the ICO. Oh well, what’s the worst that can happen?

A major change brought in by the GDPR is the severity of the fines it can levy for non-compliance. Failure to notify the ICO of a breach within a reasonable timeframe, will leave you open to a whopping €10 million fine, or 2% of your global turnover – whichever is higher.

Don’t get caught out, data breaches are costly enough by themselves, without paying an extra €10 million + on top. Train staff to recognise a data breach and have policies and procedures in place for reporting them to the ICO.

Our GDPR Training

Our GDPR Essentials Training is suitable for everyone who handles personal data and builds understanding on how to keep personal data safe and protect the people whose data it is. We also offer GDPR Training for Management and a short 15-minute GDPR Refresher course for those who have already taken GDPR Training previously. 

If you haven't done so already, you can sign up for a free trial today!

Further reading: 

GDPR Training Courses