According to the UK General Data Protection Regulation (GDPR), businesses have to report personal data breaches within 72 hours after being informed of such a breach.
Any intentional or unintentional security incident that compromises the confidentiality, integrity, or accessibility of personal data qualifies as a personal data breach. For instance, a breach could occur:
If a security issue occurs, you should ascertain whether there has been a compromise of personal data. The potential negative effects on people should be the main focus of your assessment, depending on:
You could be required to notify the Information Commissioner's Office (ICO) about the breach or the people it affects. Let's look at when you should report a breach.
You are not required to notify the ICO of every data breach. You must report a data breach, however, if it could endanger people's rights and freedoms.
For instance, if the breach is likely to result in:
Other laws, such the Privacy and Electronic Communications Regulation (PECR) or e-privacy regulation, may also require you to notify the incident.
You can notify the ICO of a personal data breach by following their self-assessment tool and reading the guidelines on reporting a breach.
You must make sure that you record all breaches as part of your responsibility to uphold the accountability principle required by the UK GDPR, regardless of whether the breaches require reporting to the ICO. The details of the breach, its consequences, and the corrective action taken should be documented.
If you encounter a personal data breach, you may have extra notification requirements under other laws in addition to notifying and documenting the breach.
For instance, if you operate an essential service provider, a digital service provider, a communications service provider, or a UK trust service provider.
Third parties that can help lower the danger of financial loss to individuals, such as the police, insurance, professional associations, banks, or credit card providers, may also need to be informed.
A punishment of up to £8.7 million or 2% of your global sales may be imposed for failing to notify the ICO of a breach when you are required to do so. Under the UK GDPR, the fine may be used in conjunction with other corrective measures by the ICO.
If you are upfront and truthful about the breach, report it right away, and demonstrate that you take the security of personal data seriously, you can avoid fines and penalties.
Make sure that you have a reliable mechanism in place to quickly identify and report breaches and that, in the event of a notifiable breach, you are able to give all relevant information. If you decide not to report the breach, be sure to explain your reasoning and keep a record of it.
Reporting a data breach is often necessary and an important aspect of handling personal data breaches. If you’re looking to prevent data breaches and safeguard your organisation from cyber security attacks or unauthorised breaches, Swiftcomm can help.
Get in touch with our friendly support team today to find out how we can manage your organisation’s data privacy and IT security.
[cta]
References: