In the new GDPR you will be required to be able to report on a data breach. In this blog we will look at what is a data breach and what to do if you have one.
A Data Breach: No matter how good the governance, controls and discipline are around data protection, data breaches of some type will occur but what can be defined as a data breach?
A data breach is an incident where sensitive information like personal details are exposed, either through accidental internal errors or by malicious intention or external hacking. Data breaches can be a daily occurrence in some organisations which range from very small and insignificant to high level, high impact cases.
Should we all be concerned? Yes! According to IDG (International Data Group), who compiled a list of the top 16 cases of the 21st century so far, based on risk and damage rather than the number of records, Yahoo is in the top spot when, between 2013-14, three billion user accounts were compromised. All these details were revealed during its sale to Verizon and resulted in an estimated $350 million being knocked off its price. The combined company had shared regulatory and legal liabilities. The list goes on and includes Equifax, eBay, TJX, Sony PlayStation, VeriSign and Adobe, each of whom were fined in many varied ways.
Although under the Data Protection Act of 1998 there is currently no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the ICO state that serious breaches should be conveyed. However, when the GDPR comes into play in May 2018 this will all change. With the new legislation, in the event of a personal data breach, the data controller must disclose this without undue delay and within 72 hours of becoming aware of any breaches. Unless the risk is minimal, failure to comply with the strict 72 hour deadline must be accompanied with the reasons why this was not complied with.
The notification to the ICO must include:
- The nature of the breach.
- The categories and numbers of data subjects and data records potentially affected by it.
- The name and contact details of the data protection officer.
- The likely consequences.
- A description of the measures taken to address the issue, including, where appropriate, measures to mitigate its possible adverse effects.
If it is not possible to provide all of the information immediately this can be provided in phases. The controller must document the breach including the nature of the breach and any remedial action taken. The documentation will enable the authority to verify compliance with Article 33 (Notification of a personal data breach to the supervisory authority).
You can read our previous GDPR blog, on What Does Consent Mean, here
By Ben Crick, Chief Operations Officer, Symatrix