What is a data breach?
The Information Commissioners Office (ICO), regards a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. In the event of a data breach, the controller of the personal data must consider reporting the breach to the ICO and, in some cases, to the affected individual/s.
Reporting data protection breaches
You are obliged to report a data breach to authorities after the security breach has taken place if the breach is likely to result in a “risk” of adversely affecting the “rights and freedoms” of the affected individuals. In assessing risk, you should consider the potential negative consequences to the individual. This may include emotional distress and physical and material damage.
Where there is likely to be a “high risk” you must also inform the affected individuals without undue delay. Failure to report a data breach can carry heavy penalties and can result in large fines of up to 4% annual global turnover or 20 million EUROS.
How long to report a data breach
When a data breach occurs, it is vitally important to assess the risk because breaches must be reported within 72 hours of becoming aware of it. Sometimes, it is not always clear if a breach has occurred. There are guidelines to help with this assessment but the reporting procedure does have a facility for notifying a possible breach and then a follow up once the position has been established.
All data breaches must be recorded by you.
Data breach assessments
If you experience a data breach, we can help you assess whether it needs to be reported to the relevant supervisory authority within the 72 hour window. Furthermore, we can assist you in drafting the report, as well as advise you on the immediate remedial steps you need to take to mitigate the risks and damages arising from the breach. This includes considering if data subjects need to be informed, advising on general communications and helping you to manage enforcement action and claims for compensation from data subjects.
Not only can a data breach be financially damaging but it can be harmful to an organisation’s reputation, particularly if the breach includes the personal data of customers and clients.
Why use BM Data Services?
Prevention is better than cure – does your business have correct systems in place to manage security and report data breaches? As an organisation it is essential to implement appropriate technical and organizational measures to avoid possible data breaches. We can help you with the policies and procedures you need in place to not only manage, but prevent data breaches. Additionally, we can provide you with training for your staff – this is a key requirement because your staff are crucial to reducing the risk of breaches and the damages that could arise.
BM Data’s team of qualified practitioners have a wealth of experience providing swift action when a business has been exposed to a data breach. We have experience with dealing with ICO and other supervisory authorities as well as advising businesses on how to manage relationships with key stakeholders, data subjects, enforcement action and claims.