One of the biggest talking points of the GDPR (General Data Protection Regulation) is its data breach notification requirements. The rules, which include a strict 72-hour deadline for reporting incidents, have caused many organisations to question how they could possibly comply, and many will be tempted to put off their duties and deal with data breaches if and when the time comes.
But make no mistake: a breach will happen, and you’ll need a plan in order to mitigate the damage and meet your compliance requirements. In this blog, we explain everything you need to know about managing data breach response.
What is a personal data breach?
A data breach is any event in which the confidentiality, integrity and availability of information is compromised. Data doesn’t only need to be stolen to be breached; it might also have been lost, altered, corrupted or accidentally disclosed.
Data breaches can happen to any kind of information, but the GDPR is concerned only with personal data. The Regulation defines this as “any information relating to an identified or identifiable natural person”. In other words, any information that is clearly about a particular person.
This might be someone’s name, ID number, online identifier, etc., or a combination of details that can be pieced together to establish somebody’s identity.
When do you need to report breaches?
Personal data breaches that “pose a risk to the rights and freedoms of natural living persons” need to be reported to your supervisory authority.
This refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses.
When reporting a breach, you need to provide the following information:
- Situational analysis: Provide as much context as possible, including the initial damage (what happened), how it affected your organisation (what went wrong) and what caused it (how it happened).
- Assessment of affected data: Ascertain the categories of personal data and the number of records concerned.
- Description of the impact: Describe the consequences of the breach for affected parties. This will depend on the information that was compromised.
- Report on staff training and awareness: If the breach was a result of human error, did the employee(s) involved receive data protection training in the past two years? Provide details of your staff awareness training programme.
- Preventive measures and actions: What measures did you have in place before the breach to prevent incidents like this from occurring? What steps have you taken, or plan to take, to mitigate the damage?
- Oversight: Provide the contact details of your DPO (data protection officer) or the person responsible for data protection.
How much time do you have to report a breach?
Organisations must report a breach within 72 hours of discovery. The GDPR acknowledges that it will be hard to produce the necessary information within this timeframe, so you aren’t expected to provide comprehensive details.
How will you respond to a data breach?
You can discover more of our tips for managing data breaches by reading The data breach survival guide.
This free download provides more detail about how you can meet each of the steps we’ve outlined here, and explains how you can reduce the risk of information security incidents.
I work as a self employed courier for an established temperature controlled courier company. I drive there vans and I am Paid an hourly rate for every job I do. They Have asked for my UTR number, I have asked what there data protection covers and got an E-mail reply from there accountant stating it was to insure I was paying my own tax and there was no reference to any data protection procedure.is this reasonable and should I give them what they ask? They already have my national security number, my name and address also my bank details and driving licence details.
Hi Dean
Your UTR number is unique to you and is considered personal data as under the General Data Protection Regulation (GDPR) identification numbers are personal data.
There are six lawful basis and an entity must use at least one to process your personal data. They are:
1. With your consent.
2. To enter into, or for the purposes of, fulfilling a contract.
3. Where the processing is necessary to meet a legal obligation.
4. Where the processing is necessary to protect the vital interests of the data subject.
5. Where the processing is necessary for tasks in the public interest or exercise of authority vested in the controller.
6. Where the processing is for the purposes of legitimate interests pursued by the controller.
I suggest you ask the accountant to advise which of the above lawful basis he/she is using to process your UTR number and why. If he/she does not have a lawful basis for this processing, then he/she should not be requesting your UTR number.
I hope this helps.