The new European General Data Protection Regulation is set to become law in Spring 2016. This will significantly change the way businesses handle any personal data that they hold.
Let’s take a look at how the new law will affect personal data breaches, and what action you need to take if this should occur.
What is a personal data breach?
There is a new requirement on all data controllers to report breaches of security that result in the accidental or unlawful loss or disclosure of personal information, if the breach results in a risk to the rights and freedoms of the individual. There will be guidance from the European data protection authority and the Information Commissioner’s Office (“the ICO”) on what this actually means, but the organisation will have to consider whether there is any risk to the individual arising from the breach (eg identity fraud, risk to reputation) and if so then it is likely that the breach should be reported.
How long does an organisation have to report the breach?
The breach must be reported within 72 hours of becoming aware of it. The GDPR says the time limits must be complied with “where feasible” but the ICO will expect very good reasons for non-compliance.
What obligations does the data processor have?
Where an organisation has employed a third party to process the information, the third party processor is required to inform you of a breach without undue delay and they will have to work with you to comply with your requirements to notify the breach. Whilst it is the controller organisation who notifies the ICO and the individual, the processing organisation may face a penalty or legal action if it has not complied with its duties to ensure the security of the information.
What information will the ICO want?
At the time of reporting the breach or as soon as possible after, the ICO will need to know the following information:
- the nature of the breach, the number of individuals and records affected and the categories of information;
- what are the likely consequences of the breach;
- the measures taken (or proposed) to address the breach and where appropriate mitigate its possible adverse effects.
The organisation should document the breach including all the facts, its effects and the remedial action taken. This documentation must contain enough information for the ICO to be able to check that the organisation has complied with these requirements. The name and contact details of the data protection officer should be included.
Does an organisation need to tell the individual concerned?
The organisation must tell the individual “without undue delay” if there is high risk to his or her rights and freedoms. The individual should be notified in clear and plain language and given a description of the breach, the likely consequences, the measures taken (or proposed) to address the breach and mitigate its possible adverse effects. The individual should also be given the name and contact details of the data protection officer.
If the breach is a data loss and that data has been encrypted and cannot be accessed by any third party, then the organisation may not have to notify the individual.
What if large numbers of individuals are affected?
If it is disproportionate to contact all the individuals who may be affected then the organisation could publish a communication giving details of the breach. This would only apply for loss of data on large scale and so advice should be sought in such cases.
Where can I get specialist advice?
As experts in data protection law, Probert Legal can help you steer a path through the new legislation and ensure that your systems and procedures are robust.
For further information, contact Tracey Wakelam on email@example.com