Complying With the GDPR When Things Go Wrong

June 2018

Data breaches (which may or may not involve personal data) come in all shapes and sizes. A breach may, for example, involve the loss or theft of data, the unauthorised access to, use of, or modification of data, or something apparently less direct such as equipment damage, human error, or the loss or theft of equipment – the business laptop being left on a train being a classic example.

Initial steps to be taken upon the discovery of a breach should include containing the breach itself, determining the full particulars of it, working out what needs to be done to resolve and remedy the situation, and establishing who needs to be told about it straight away (the police, for example, or your insurance provider).

A full investigation and assessment of the breach should go into more detail, determining who will be affected by the breach and to what degree, how much data is involved, how many data subjects will be affected, the consequences of the breach and more.

This must all be done quickly as some personal data breaches must be notified to the Information Commissioner’s Office and to the individual data subjects whose data is involved in the breach. The ICO should be informed within 72 hours of you becoming aware of the breach, where feasible. Individuals should be informed “without undue delay”. Notification will not always be required, but all the facts must be carefully considered in order to determine this. When in doubt, notify, or at least ask the ICO what to do. Failure to notify when you are supposed to can result in substantial fines under the GDPR.

New Data Breach Report Form

Discovery is where it all begins. Our new Data Breach Report Form has been designed to enable staff members to easily report suspected or actual data breaches so that they can be handled and investigated by the appropriate person or department (e.g. your Data Protection Officer if you have one).

New Data Breach Policy

Our new Data Breach Policy template is where the magic happens. This document sets out the key steps to follow when handling a data breach (whether it involves personal data or otherwise). The Policy starts with the initial internal reporting requirements and details each stage all the way through initial containment to investigation, notification, and the evaluation and implementation of future preventative measures.

New Data Breach Register

A key principle of the GDPR is the “accountability principle”. In simple terms, this can be summed up as “document everything!”. Not only must you have the appropriate measures, procedures, systems etc. in place to comply with the GDPR, but – and this is especially important when, despite your best efforts, something goes wrong – you must also be able to demonstrate that you have them and that you aren’t neglecting your responsibilities.

In the case of data breaches, all aspects should be recorded – regardless of whether you need to notify the ICO or data subjects (indeed, if you determine that notification is not required, documenting your reasoning for this could be helpful if problems emerge down the line). Our new Data Breach Register is designed to be used alongside the Data Breach Policy and enables you to record key information not only about the breach itself, but also about your response to it.

In an ideal world, there would be no data breaches, but with the best will in the world, accidents can happen, and it’s always worth remembering that however good your cybersecurity might be, those attempting to break it are just as clever as those that designed it. Having procedures in place to handle a data breach if and when it happens can save vital time and protect not only the data itself, but also those to whom it relates and, by extension, your commercial interests and your reputation. Most importantly, it can help you stay on the right side of the law and avoid those pesky fines that virtually every article about the GDPR likes to wrap up with!

The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.

Top