21 February 2018
Help – we’ve had a data breach. Do we need to report it under GDPR?
The General Data Protection Regulation is by now well and truly on everyone’s radar. Hopefully your organisation has started preparing for the 25th May deadline. Here at Centor, we have started speaking to our clients about it and we are finding many are confused about the difference between a data breach and a data incident. Here’s a brief explanation.
Should I report all data breaches?
No – not all data breaches will need to be reported to the Information Commissioner’s Office (ICO) and customers alike.
Under GDPR, it will be mandatory to report a personal data breach if it’s likely to result in a risk to people’s rights and freedoms. But how do you determine how high risk the incident is? The best approach is to examine the types of incidents your organisation faces and develop a sense of what constitutes a serious incident in the context of your data and your own customers. Examples of high risk situations that might require reporting any incidents which lead to the potential of people suffering detrimental effect, for example, discrimination, damage to reputation, financial loss or any other significant economic or social advantage.
Article 34 of the GDPR says it is not necessary to notify the individual if the data controller ‘has implemented appropriate technical and organisational protection measures’. Examples of an organisational protection measure might include encryption, password protected attachments and secure web services.
If you’re still not sure whether to report a specific breach or not, call the ICO for advice on 0303 123 1113.
How much detail do I provide?
You should provide as much information as you can, and must do this within 72 hours after becoming aware of it. If you don’t have all the details yet, you can provide these later.
Will the ICO issue a fine for all breaches that occur?
Much has been made in the media of the huge increase in the maximum fines chargeable under GDPR. The ICO says fines will be proportionate and not issued in the case of every infringement. Fines can be avoided if an organisation is open and honest and reports the breach without undue delay. This doesn’t mean, of course, that organisations should become more casual in their approach to data protection. It’s important to be able to show you’re compliant and have proper procedures in place. Rather seeing the GDPR as a big stick the ICO will beat organisations with, it’s best to see it as an opportunity to improve your processes and transparency to consumers have greater trust in organisations.
This article explains data breach reporting in further detail. If you’re still worried about the effects of a breach, you might like to speak to us about cyber insurance. We only recommend cyber cover which includes a dedicated incident response team to assist you, 24/7. They can help manage everything from notifying potentially affected customers to monitoring social media post-breach.
For more information, please get in touch with:
James Groves, Account Manager
0207 330 8707