In 2017, 46% of all UK organisations experienced at least one cyber-security breach or attack, according to government data. Personal breaches can be especially harmful as they can lead to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data. If the breach is likely to significantly impact individuals’ rights and freedoms, your organisation must inform them without delay.
Under the GDPR, organisations are required to report certain types of personal data breaches to the relevant supervisory authority within 72 hours. If it doesn’t, then an organisation could be fined up to €10 million or 2% of its annual turnover, whichever is higher. Along with significant fines, personal data breaches could also have a profound impact on your organisation’s reputation—even if you promptly inform all those affected.
Your reputation is intrinsically linked to your brand and if you experience a data breach, individuals may then view you as being untrustworthy and take their business elsewhere. What’s more, failing to meet data breach requirements may hold your directors and officers liable for their inability to implement the necessary safeguards.
Protect your organisation from hefty GDPR penalties and reputational damage by following these three steps:
1. Contact the relevant supervisory authority of a breach within 72 hours.
2. Directly contact individuals affected by a breach if it is likely to result in a high risk to their rights and freedoms. (Note: The Information Commissioner’s Office defines a high risk as ‘the threshold for notifying individuals is greater than notifying the relevant supervisory authority’.
3. Complete a breach notification containing the following information:
– The categories and number of people affected by the breach
– The categories and number of personal data records affected by the breach
– The name and contact details of the data protection officer or an additional contact where more information can be obtained
– A detailed description of the breach’s potential consequences
– A detailed description of what measures your organisation has taken or will take to address the data breach
– A detailed description of the measures your organisation has taken or will take to mitigate any possible adverse effects to either itself or the individuals affected