Data Breaches and Security

A data breach is defined by the GDPR’s as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

This covers loss, theft or damage of physical equipment on which personal data is stored, cybercrime or inadequate access controls allowing unauthorized use.  It also covers human error and unforeseen factors such as fire and flooding.

Controllers and processors must implement technical and organisational measures to demonstrate that the level of security they implement is appropriate to the risk.  This level is based on the costs of the security and the nature, scope and purpose of the processing and is balanced against the risk and likelihood of a breach and its impact on the rights and freedoms of the data subject.

The Regulations also require organisations to ensure their processes embed Privacy by Design into their projects and that new technologies are designed with data protection requirements in mind.

Presently there is no legal requirement to report a data breach.  Under the GDPR’s this will change.  The Regulations create an obligation to notify a data breach to the Information Commissioners Office (ICO), within 72 hours of the time at which you become aware of the breach.

You can avoid this notification procedure if the security breach is unlikely to result in a risk to the data subject.  You may also need to notify in clear and plain language, each and every data subject whose information has been breached.  The GDPR’s state that this will be necessary if the breach is likely to result in a high risk to the individuals affected and must be done “without undue delay”.

Whilst we have no guidance yet on what “risk” and “high risk” mean, we can assume that any breach of special categories of data would invoke a notification to the ICO and the data subject.

In terms of the notification content, this must describe the nature of the breach and if possible, the categories and approximate number of data subjects/records it concerns.  It must also provide contact details for the resident DPO.

If we can assist you or your business in any way, or if you have any questions in relation to the services that we offer, please contact us. We look forward to working with you.

Data Breaches and Security Checklist

  • Do you have a Data Breach Response Plan?
  • Have you reviewed your insurance cover in light of higher fines and penalties?
  • Have you reviewed your liability provisions in agreements for breaches caused by third party providers?
  • Are you required to conduct a Privacy Impact Assessment? If so, has one been done?
  • Do you conduct regular testing of security systems and measures?
  • Have you embedded Privacy by Design into your processes?
  • Are your security measures commensurate with the risk and potential harm to the individual?
  • Do you have a Breach Register?
  • Do you have a Disaster Recovery Plan?