In the sixth and last part of our GDPR blog series we’re covering the duty you have to prevent and report personal data breaches. You can read our GDPR blog series by following the links below:
- The General Data Protection Regulation – An introduction to GDPR
- How the GDPR affects the personal data you hold
- Plan how you need to change ahead of GDPR implementation
- How GDPR gives rights to individuals and their data
- What is your lawful basis for processing data
- GDPR gives you a duty prevent and report data breaches
Your duty to prevent and report data breaches
Under GDPR all organisations must introduce appropriate policies and procedures to protect all personal data they hold. In a result of a serious data breach GDPR states that a company could be fined millions of euros or up to 4% of their annual turnover.
A personal data breach is defined as any incident that results in accidental or unlawful destruction, loss, alteration, disclosure of or unauthorised access to personal data you hold. A data breach under GDPR is far more than just about losing data, it includes both accidental and deliberate breaches at all levels of your business.
Common examples of data breaches could include:
- Access by an unauthorised third party
- Deliberate or accidental action (or inaction) by a member of staff
- Sending data to the wrong recipient
- Computers and hard drives containing data being lost or stolen
- Alteration of data without permission
Part of GDPR stipulates that you should be able to recognise if a personal breach has occurred and have a pre-prepared plan to respond to any breaches. In some cases you may need to report any data breach to the ICO, but this is only required in an event where a data breach could result in the loss of an individual’s rights and freedoms (such as identity theft, fraud, financial loss and confidentiality). If this isn’t likely, then you don’t need to report it but the justification for this must be documented.
Preventing a data breach
Below is a simple breakdown of how your business can take steps to prevent data breaches.
- You must know where you store personal data and how the data is used
- Identify all pontential risks that could cause a breach
- Apply appropriate measures and policies to mitigate the risks
- Conduct regular tests and data audits
Staff should be trained to process data correctly in accordance with your internal policies. A breach should be investigated to determine if it was due to human error or a systemic issue, with steps taken to prevent further occurrences – this could include new processes or further staff training.
In cases where you pass personal data you hold to another company it is your responsibility to ensure they are also GDPR compliant, including the systems they have in place to protect it. In the event of a data breach you should inform them without undue delay so that further breaches and data errors can be prevented.