GDPR Countdown Week 8: Data Breaches
Under GDPR obligations are being imposed which will require employers to both record and report data breaches.
From 25 May 2018, if a personal data breach occurs, which is a high risk to the rights and freedoms of individuals (for example where the personal data is exposed to be potentially accessed by others), an employer must, without undue delay and not later than 72 hours after having become aware of it, notify the ICO.
Reporting is only required when a data breach is a high risk. Where this is the case, the following needs to be set out to the ICO:
- The nature of the breach with details including the numbers of individuals and records concerned
- Contact details for more information
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate the adverse effects.
The employer will also need to inform the individuals affected of the breach and the last 3 of the bullet points above (unless limited exceptions apply).
Whilst non-high risk breaches do not require reporting to the ICO, they will require recording (along with the high risk ones). The record should also set out the steps taken to mitigate the risk of such breaches occurring again. That log should be stored securely should the ICO wish to inspect it.
To comply with the reporting and recording requirements above, employee education on these issues will be key.
If you have any questions about the above please do not hesitate to contact firstname.lastname@example.org or your usual Weightmans advisor.