General Data Protection Regulation: Data Breach Reporting

In the new GDPR you will be required to be able to report on a data breach. In this blog we will look at what is a data breach and what to do if you have one.

A Data Breach: No matter how good the governance, controls and discipline are around data protection, data breaches of some type will occur but what can be defined as a data breach?

A data breach is an incident where sensitive information like personal details are exposed, either through accidental internal errors or by malicious intention or external hacking. Data breaches can be a daily occurrence in some organisations which range from very small and insignificant to high level, high impact cases.

Should we all be concerned? Yes! According to IDG (International Data Group), who compiled a list of the top 16 cases of the 21st century so far, based on risk and damage rather than the number of records, Yahoo is in the top spot when, between 2013-14, three billion user accounts were compromised. All these details were revealed during its sale to Verizon and resulted in an estimated $350 million being knocked off its price. The combined company had shared regulatory and legal liabilities. The list goes on and includes Equifax, eBay, TJX, Sony PlayStation, VeriSign and Adobe, each of whom were fined in many varied ways.

Although under the Data Protection Act of 1998 there is currently no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the ICO state that serious breaches should be conveyed. However, when the GDPR comes into play in May 2018 this will all change. With the new legislation, in the event of a personal data breach, the data controller must disclose this without undue delay and within 72 hours of becoming aware of any breaches. Unless the risk is minimal, failure to comply with the strict 72 hour deadline must be accompanied with the reasons why this was not complied with.

The notification to the ICO must include:

  • The nature of the breach.
  • The categories and numbers of data subjects and data records potentially affected by it.
  • The name and contact details of the data protection officer.
  • The likely consequences.
  • A description of the measures taken to address the issue, including, where appropriate, measures to mitigate its possible adverse effects.

If it is not possible to provide all of the information immediately this can be provided in phases. The controller must document the breach including the nature of the breach and any remedial action taken. The documentation will enable the authority to verify compliance with Article 33 (Notification of a personal data breach to the supervisory authority).

About the author

Ben Crick

Get in touch

Want to find out more? Get in touch and discover what Symatrix could do for your business. We’d love to chat.

Get in touch

Cookie Notice

Find out more about how this website uses cookies to enhance your browsing experience.

This site uses cookies – small text files that are placed on your machine to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping baskets, and provide anonymised tracking data to third party applications like Google Analytics. As a rule, cookies will make your browsing experience better. If you continue to use  the site we shall assume your consent to the use of cookies. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. We suggest consulting the Help section of your browser or taking a look at the About Cookies website which offers guidance for all modern browsers