GDPR: Preparing for Change! What do Employers and HR teams need to know?
Part 5: Mandatory Data Breach Notification
The General Data Protection Regulation (GDPR) will be enforceable as of May 2018 and will impact the day-to-day activities of HR teams and employers on a wide scale. In part 5 of our blog series, we concentrate on the new rules on Data Breach Notifications under the GDPR and how these will affect employers and HR teams.
What is a personal data breach?
A personal data breach is defined in the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Therefore, if your organisation is subject to or suffers any kind of action which destroys, alters, discloses or provides an unauthorised person access to data that you hold, under the GDPR this will constitute a data breach and under the GDPR, you will need – in certain circumstances – to comply with the new rules for reporting data breaches.
Under the Data Protection Act 1998 (DPA), there is generally no legal obligation on employers or any data controllers or processors to report data breaches to the Information Commissioner’s Office (ICO), however the ICO believe that serious data breaches should be brought to their attention.
Under the ICO guidance, data breaches should be brought to the attention of the ICO where:
- there is potential detriment to data subjects – i.e. emotional distress, physical or financial damage;
- a large volume of data is lost, released or corrupted – therefore there is a large risk of harm to data subjects;
- the data lost, released or corrupted is sensitive – where the data concerned is sensitive personal data (i.e. involves race, sex, religious or political beliefs or health).
What will change under the GDPR?
- Under the GDPR, under certain circumstances, businesses will have up to 72 hours after becoming aware of a breach to report this to the relevant Data Protection Authority (the ICO in the UK). Organisations will only be subject to this obligation where the data breach relates to personal data that is likely to result in a risk to the rights and freedoms of data subjects.
- Businesses must also report the breach to the affected data subjects without undue delay, only where the breach is likely to result in high risk to the data subject. Notification of a data breach is not required to data subjects where:
- the controller has implemented appropriate security measures in relation to the personal data;
- the controller has taken subsequent measures to ensure high risk to subjects is no longer likely to happen;
- it would involve disproportionate effort (in this case there will be a public communication where subjects are informed).
- A data breach notification should contain a description of the breach, the contact details of the Data Protection Officer (if applicable), the consequences of the data breach and any measures taken by the business to remedy the breach.
What will this mean for employers/HR teams?
In order to be compliant with the GDPR data breach provisions by 25 May 2018, businesses should start to prepare now!
To ensure that your organisation is able to meet the 72 hour deadline for data breach reporting, your business should take the following steps:
- review current data security measures to ensure they are up to standard and reflect the data you process;
- review training of staff on security breaches and how to report these internally;
- develop internal policies and procedures for determining when a breach has taken place and how to manage that breach and/or give notification where required. Organisations should ensure that their internal policies include guidance for determining when and in what circumstances to report a data breach;
- ensure that you have a data breach plan in place so that everyone in the business is aware of their role if a data breach occurs;
- consider appointing a Data Protection Officer (but be mindful that should you appoint a DPO where you are not obliged to, the rules around the DPO will apply to your organisation even though you voluntarily appointed one). We will cover this in Part 7 of this blog series;
- read our blogs and come to our GDPR seminars and seek guidance where appropriate!
With fines for breaching the GDPR reaching up to €20,000,000 or 4% of worldwide annual turnover, businesses should start preparing now for the GDPR coming into force!
Read our previous blogs in this series:
Contact our Specialist Compliance and Regulatory Lawyers
MacRoberts’ team of data protection specialists can provide expertise and advice to businesses wishing to adopt this proactive approach to compliance preparation. We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.
If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs and/or sign up to our newsletter to keep up to date with the latest GDPR news and developments.