In relation to data protection, people us the word “breach” in two different senses. It’s important to understand which type you are facing and the actions/ outcomes of that type of breach – particularly as with one type you may need to notify the ICO within 72 hours!
Breach of data protection laws
Data protection laws place obligations on any organisation that processes personal data. These obligations vary depending on whether or not you are acting as a data controller or data processor.
So a failure to comply with the applicable obligations would be a breach of data protection laws. For example, failing to respond to a subject access request within 30 days or not having a contract between a data controller and data processor.
There are consequences to these type of breaches (for example, see our blog here where failing to delete data resulted in a fine), but these are not the type of breach where you must notify the ICO within the strict deadlines.
Security breach
The second type of breach is a security breach. This means a security incident that has affected the confidentiality, integrity or availability of personal data.
While a hacked IT system or the loss of an unencrypted laptop may be more obvious security breaches, a wrongly sent email containing personal data of a customer may also be considered a security breach. The ICO uses the following examples to explain the meaning of a security breach:
• “access by an unauthorised third party; • deliberate or accidental action (or inaction) by a controller or processor; • sending personal data to an incorrect recipient; • computing devices containing personal data being lost or stolen; • alteration of personal data without permission; and • loss of availability of personal data.”
Reportable security breach
Depending on the impact of the security breach, organisations may need to notify the ICO and possibly even the individuals involved. But it’s important to remember that not everything needs to reported.
Where you do need to report the breach to the ICO, this must be done within 72 hours of the organisation becoming aware (and these means at any level of the business – not just when the directors or Data Protection Officer becomes aware).
This is why it is important to know how to recognise a security breach, how to assess the impact and what to do next.
GDPR breach helpline
We’ve created a dedicated GDPR breach helpline to act as a sounding board, help you work out which type of breach you have experienced and give you an initial view for a fixed price of £50 + VAT.