Featured in JEP’s Expert Panel – 11th April 2018
A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, access to, personal data transmitted, stored or otherwise processed”. Examples would be accessing data when you’re not authorised to, corruption of a digital data file and having no back-up file, reversal of pseudonymisation of data.
It will surprise many people just how wide in scope the definition is and how easy it will be to get caught out by it. Data controllers only have 72 hours (from when they become “aware” of the breach) to report to the relevant supervisory authority and explanations for any delay. Phased reporting of the facts of the breach is possible if further investigation is required but controllers should first notify the authority and agree that further details will be provided at later time.
Data breaches need classification as either Confidentiality, Integrity or Availability breach. The availability type breach is an interesting one, as this will occur where you are unable to restore your computer systems or back-up files within a reasonable time and it leads to a high risk of data subject(s) not being able to exercise their rights and freedoms.
Breach notifications should be in writing and contain the name and contact details of the controller and DPO (if any), date, time, nature, content and location of data breach, number and category of personal data records and data subjects effected. The controller should outline what technical and organisational actions have taken place in response and whether data subject(s) have been informed. Personal data breach register must be maintained by the data controller.
Remember you are also reliant on your data processor(s) to inform you of any breaches at their organisation or in their computer systems.