Data Breaches
Unlock This Video Now for FREE
This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.
If you have identified the data you hold and how you store it then dealing with a Data Breach is much more straightforward than it could have been.
A data breach is defined as:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
As an employee, if you are aware of a breach or potential breach of data, you must notify the person responsible for data protection in your organisation immediately, so that they can take the appropriate steps to deal with the situation and minimise the risk.
As an organisation, if you are unfortunate to be in a data breach position, you will need to make sure that you have procedures in place to record and if necessary report a data breach to the regulatory authority.
If you become aware of a breach that is likely to cause harm to the data subject or subjects you should notify the ICO without undue delay and certainly within 72 hours. If the breach is high risk to the individuals involved, they should be notified within the same time period. There are some exemptions, for example, if the data is rendered unintelligible or if the high risk is negated by other measures.
If you do need to report a breach, you will need to include certain information, which would include describing the nature of the personal data breach, including where possible the categories and an approximate number of data subjects concerned and the categories and an approximate number of records concerned.
You would need to outline the likely consequences of the breach and include the name and contact information for the data protection officer or person who will be able to provide more information.
The measures taken or proposed by the controller to address the personal data breach would include any appropriate measures that could be taken to mitigate any potential adverse effects.
An internal breach register should be held and used to document any personal data breaches, it should include all information relating to the breach, its potential effect and any action that has been taken. This documentation may be used to verify compliance to the supervisory authority.