Data Protection Impact Assessments & Personal Data Breaches

May 2019

This month, the GDPR celebrated its one-year anniversary. Just over a year ago, the GDPR came into effect, bringing with it the biggest change to data protection law in two decades. Some were ready ahead of time, others were unprepared, and many are still in the process of getting to grips with the GDPR and building best practice and compliance into their businesses.

Few areas of law stand still for long, and data protection is one which is constantly moving. It may be a very long time before we see an overhaul as significant as the GDPR again, but that does not mean that compliance measures put in place last year can simply be left alone.

Whether you’re still getting your data protection ducks in a row, or whether you were already in shape by May last year, now is the perfect time to review your data protection framework, evaluating its effectiveness, and looking for improvements.

New Data Protection Impact Assessment Guidance Notes

If you are looking to use personal data in a new project, perhaps in a new way or utilizing new technologies, a Data Protection Impact Assessment is often advisable. In some cases, it is not only advisable, but a requirement of the GDPR.

A Data Protection Impact Assessment or “DPIA” is designed to make you consider the appropriateness and proportionality of your proposed personal data usage, and to carefully evaluate the likelihood and severity of risks and suitable solutions to those risks.

DPIAs can be complex and somewhat overwhelming. Our new DPIA Guidance Notes have therefore been created to help by providing a guide to the essentials, including what exactly a DPIA is, when one is required, the important things to cover when carrying one out, and how to follow-up on one.

New Data Breach Guidance Notes

With any luck, your DPIA will ensure that you don’t suffer a data breach. Nevertheless, even with the most careful planning and the best technical and organizational measures in place to protect personal data, the worst can happen. Personal data can be unlawfully destroyed, lost, altered, disclosed, or accessed. Whether this has been caused accidentally or deliberately, quick and decisive action is essential.

You should quickly take steps to mitigate the effects of a breach, and must establish whether it needs to be reported to the ICO in short order. Particularly serious breaches that pose high risks to individuals must also be reported to those individuals whose data is involved. Not only that, but data breaches must also be taken as a learning experience, ensuring that whatever flaws have been highlighted as contributing to a breach are fixed to prevent a repeat performance.

Our new Data Breach Guidance Notes will help you to understand what a data breach is and how to recognize one, how to deal with it, and how to comply with your all-important obligations under the GDPR.

The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.

Top