It is virtually impossible for any organisation to eliminate the chance of a data breach happening ever. But what every organisation can do is take all steps necessary to minimise the risk of a data breach happening. This, combined with being prepared and knowing what action to take if a data breach does occur will lessen its effects.
Organisations using the Privacy Compliance Hub know what they must do if they suffer a data breach, who is responsible for doing it and when it must be done by, all of which will limit the risk of fines, bad publicity and loss of vital customer trust. Planning ahead will free up valuable time to contain and recover the breach itself.
Types of personal data breach (‘CIA’)
A personal data breach is not just unauthorised disclosure or access to personal information (a ‘confidentiality’ breach). It also includes loss or destruction of personal information (an ‘availability’ breach) and alteration of personal information (an ‘integrity’ breach).
When, who and how to notify a personal data breach
Organisations must notify certain personal data breaches to the regulator (also called a relevant supervisory authority such as the ICO in the UK) and sometimes to the affected individuals as well. Failure to notify a data breach when required is itself a breach of the GDPR. The ICO has a useful self-assessment tool to help organisations determine whether a breach needs to be reported.
Notification to the regulator
All organisations are required to notify the relevant supervisory authority (the ICO in the UK):
- if a data breach is likely to result in a risk to the rights and freedoms of individuals (the severity of the potential impact on individuals as well as the likelihood of it occurring should be considered);
- without undue delay and, where feasible, within 72 hours; and
- in phases, if need be, as more information becomes available. An organisation should not wait to notify until it has all the relevant facts.
Notification to affected individuals
The individuals whose personal information has been compromised must also be notified:
- if the breach is likely to result in a high risk to the rights and freedoms of individuals eg. they are at risk of discrimination, physical harm, identity theft or fraud, financial loss or damage to reputation (completed data protection impact assessments will assist in assessing the risk level);
- without undue delay and informed of the steps they should take to protect themselves eg. change their passwords.