Data breaches are a key part of GDPR. You need to have the right procedures in place to detect, report and investigate a breach.
GDPR introduces the obligation to report breaches to the national authority (the ICO in the UK), and sometimes to individuals, depending on the type of information compromised by the breach and the potential damage to the individual's rights and freedoms.
If the breach you suffered can damage rights and freedoms, you must report it to the ICO, examples of these are financial damage, reputation, discrimination, and loss of confidentiality. This is not an exhaustive list, as any potential economic or social damage is included.
If the risk is high to the individuals, you must notify them as well. If the data stolen can result in identity theft for instance.
What to report
You must report the nature of the breach, including how many individuals were concerned, and the categories and number of personal data records concerned.
You should also include the name of the Data Protection Officer, or the person responsible for data protection in your organisation, and the possible consequences of the data breach.
You should also detail what measures have already been taken, or you propose to take to deal with the data breach, and what measures have you taken to mitigate the effects of the breach.
How to notify of a breach
You have 72 hours from discovering the breach to notify the ICO. It is usually not possible to have all the details at hand in such a short period of time, but you must at least make the ICO aware of the breach, and feed back information to them once it becomes available.
Failure to notify the ICO can lead to hefty fines, up to 10 million euros, or 2% of global turnover for the organisation.
Going back to one of the first posts in this series, Awareness, it is important that everybody in the organisation is aware of their responsibility.
You should train your staff to understand what a data breach is and that you have the right procedures in place so they can report this to the right people quickly. This will help you assess if you need to notify the ICO only or the public as well.
Times are short, so having all your procedures in place will help you stay in compliance should this ever happen to your organisation
GDPR is coming into force on 25th May 2018.
< 8. Children 10. Data Protection by design >