Our recent series of blogs covers the General Data Protection Regulation (GDPR) which will be effective from May 2018. We’ve looked at various aspects of data protection rights for individuals, and responsibilities for organisations. This week, our focus is on preparing for the worst: what to do if there is a breach of personal data security in your organisation.
The GDPR will introduce a duty on all organisations to report certain types of breach of personal data security to the relevant supervisory authority, and in some cases to the individuals affected. In the UK, this authority is the Information Commissioner’s Office (ICO). The ICO is an independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
A breach of personal data security under the GDPR means an infringement of security leading to the destruction, loss, alteration, unauthorised disclosure of, or non-consensual access to personal data. This means that a breach is more than just losing personal data. For instance, a patient’s health record may be inappropriately accessed at a hospital due to a lack of appropriate internal controls.
A UK organisation only has to notify the ICO of a breach where it is likely to result in a significant detrimental effect to the rights and freedoms of individuals. The breach is notifiable if it were to result in discrimination, damage to reputation, financial loss, loss of confidentiality, or other significant economic or social disadvantage to the individual in question. This has to be assessed on a case-by-case basis. An organisation will need to notify the ICO about a loss of customer details which risks identity theft, but would not have to notify the ICO of an inappropriate alteration of a staff telephone list.
A notifiable breach has to be reported to the ICO within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period, and allows an organisation to provide information in phases. But if the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay. Most importantly, any failure to report a notifiable breach can result in a fine of up to EUR10 million (£8.7 million), or 2 per cent of an organisation’s global turnover.
Where a breach of personal data security is likely to result in a ‘high risk’ to the rights and freedoms of individuals, an organisation must also notify those concerned directly. It’s worth noting that this threshold for notifying individuals is higher than that for notifying the ICO.
An organisation would have to notify the affected individual of certain aspects of the breach. First, it must inform the person of the nature of the personal data breach, including the categories and approximate number of individuals and personal data records concerned. Obviously, it would need to include the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained. Crucially, the organisation has to describe the likely consequences of the personal data breach, specify the measures taken to deal with the breach and, where appropriate, outline the measures taken to mitigate any possible adverse effects.
Every organisation in the UK which holds personal data should make sure that their entire staff understands what constitutes a data breach, and that this is more than simply a loss of personal data. This will translate to ensuring that an internal breach reporting procedure is in place, in order to facilitate decision-making about whether it is required to notify the ICO or the public. In light of the tight timescales for reporting a breach, such a procedure must encompass robust breach detection, investigation and internal reporting.
The ICO will be publishing specific guidance on personal data breaches, and how organisations can prepare themselves for breach reporting, later in 2017. We’ll bring your attention to this guidance in a later blog. In the meantime, why not have a look at the ICO’s handy ‘12 steps to take now’ document available on its website, covering various aspects of the GDPR.
It goes without saying that CAS is fully compliant with current data protection regulation, and future-proofed for the new GDPR regime too. Whether it’s our document storage or scan-on-demand services, we’ll keep your data safe and secure. And if you use our office removal and data disposal services, data protection is always a primary consideration for us. Call one of the CAS team now if you’ve got any questions about any of our services.
Call one of the CAS team now if you’ve got any questions about document shredding or any of our other services.
CAS provides comprehensive and secure document digitisation, information storage and facilities management services. For more than 20 years CAS have worked with NHS Trusts, Financial Services providers, and corporate and private clients. Our head office is just four miles from the City of London, supported by our advanced storage centres across the UK. CAS has an impressive array of International certifications (ISOs), which prove our compliance with the strictest national, European and international laws. They also demonstrate our commitment to provide innovative systems on security, confidentiality and quality control in keeping your files safe and well managed. CAS, offering 20 years of secure document storage in London.