The General Data Protection Regulation (GDPR) requires you to take “appropriate” measures to ensure that personal data processing is carried out in a secure way. This seems a very broadly-worded requirement, but it is not accidental. Every organisation is under a duty to think carefully about what’s appropriate for them, taking into account the risks to the rights and freedoms of individuals that a data breach might pose.
In addition, and for the first time, GDPR requires all data controllers to report certain types of data breaches to their national data regulator (in the UK it’s the ICO). You must also keep an internal record of all personal data breaches.
You might be wondering what exactly the lawmakers mean by a “personal data breach” as well as what should you do if you are hit by one. Decision makers need to be aware of how they can safeguard their organisation against breaches and stay on the right side of the regulator. If this sounds a lot like the things you have been asking yourself, then read on to find out more.
What constitutes a personal data breach under GDPR?
GDPR only concerns personal data. So, if it’s just your business accounts or intellectual property that are affected, these rules don’t apply. If it’s information that can identify a real person (e.g. customer or HR data), then the GDPR does apply.
A breach means loss, destruction, alteration, unauthorised disclosure or access to personal data. It could be deliberate or accidental. Some real-life examples include the following:
- Water damage to your warehouse leading to destruction of paper-based customer records
- An unauthorised login enabling someone from outside your organisation to access your CRM platform
- A systems failure leading to permanent loss of HR data spreadsheets
- A hacker unleashes a spyware packet, enabling them to access your entire data estate at will
- A departing manager ‘goes rogue’ and downloads your customer contact file before she leaves