We are here to provide practical solutions
to make your HR easier”
Blog
Articles by Month
- October 2018
- September 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
Articles by Author
GDPR - BREACHES
But what do you need to do if there is a breach?
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority (the Information Commissioners Office - ICO). You must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms, you must also inform those individuals without undue delay. You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
Examples of breaches are:
- Data is accessed by an unauthorised third party
- Deliberate or accidental action (or inaction) by a controller or processor
- Sending personal data to an incorrect recipient
- Computing devices containing personal data being lost or stolen
- Alteration of personal data without permissio
- Loss of availability of personal data
When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people's rights and freedoms. If it's likely that there will be a risk then you must notify the ICO; if it's unlikely then you don't have to report it. However, if you decide you don't need to report the breach, you need to be able to justify this decision, so you should document it.
So if you lose your lap-top that has employees personal data on it, you may not need to report this if the computer has adequate encryption software - because the likelihood of someone accessing the data is extremely slim because of the encryption and therefore it is unlikely that there will be a breach of personal data (you may need to talk to your IT department about these things).
You should keep a data register of all breaches. This can also be used to record your reasoning / justification if you do not report it.
If we can be of assistance please do not hesitate to contact us on 01702 216573 or email me at paula@practical-hr.co.uk
Useful links
The information commissioner - Telephone number: 0303 123 1113
