Data Breaches

A data breach can be a small breach or massive breach that results in large fines, for example a large internet site is hacked and someone manages to obtain millions of users' email addresses and data, obviously that is a massive data breach. 

A small data breach may be something simple and these are things that small businesses need to try and avoid, one example could be sending out an invoice to the wrong individual, where someone ends up opening an envelope that contains someone else's data, that is a small data breach which you may not even be aware of unless a customer complains or informs you that they have received it.

If you are made aware of a breach you should record it for your internal records.  There wouldn't be a need to report a small breach that poses no risk to the individual concerned, to the Information Commissioners Office justifying why you consider that it doesn't need to be reported.

When there is special category or sensitive data involved this is a different matter, you should treat this type of data very carefully. If there is a breach of sensitive data that could harm somebody if it was in the domain or passed on to a third party, then that would be much more serious data breach, even when it is only involves a handful of people, or maybe even only one person. 

To avoid data breaches where any information about an individual is passed to another individual by accident or with malicious intent and applies regardless of the number of individuals it affects. So you need to take care to ensure that you keep it controlled and take care with people's personal data.

Take care if you use a pad to make notes that include personal data, you need to make sure that you keep them with you at all times, don't leave them lying around or in a car where they could be stolen.

Laptops and other hand held devices should be protected from malware and viruses and password protected, be aware that there is always someone that can get bypass virtually any kind of security. 

If you have a laptop or hand held device that contains a lot of personal data, you should make sure that they are stored securely you should keep them with you at all times, never leave them unattended or locked in a vehicle overnight where someone could potentially steal them and access people's personal data.

Personal data is any information that identifies an individual. Sensitive data is now known as Special Category Data under GDPR and includes:

• Race
• Ethnic origin
• Politics
• Religion
• Trade union membership
• Genetics
• Biometrics (when used for identification purposes)
• Health
• Sex life or sexual orientation.

 A data breach that involves special category (sensitive personal data) could create a more significant risk to the individual's rights and freedoms, they could for example be subject to risk of unlawful discrimination as a result of a breach.

Any breach that is likely to result in a high risk of adversely affecting the individuals involved should be notified to the Information Commissioners Office without "undue delay" and within  72 hours of becoming aware of the breach. If you take longer you will need to explain the delay.

Where the breach involves data that is likely to pose a high risk to the rights and freedoms of the individual, the individuals should be notified as soon as possible.