From 25th May 2018, the GDPR has meant that you need to report any notable data breaches to the ICO within 72 hours of becoming aware of them. In high-risk cases, you must also notify the individuals concerned.
So, what’s a data breach, and what counts as ‘notifiable’?
A data breach is a violation of security that leads to the loss, alteration, unauthorised disclosure, access to, or destruction of personal data.
A notifiable data breach is decided on a case-by-case basis, but is generally classed as a breach that can result in a risk to an individual/s rights and freedoms, and one that is likely to have a significant detrimental effect on the individual/s concerned.
What does the notification need to include?
- The type and amount of individuals and personal data records concerned
- The name and contact details of where more information can be given (e.g. your data protection officer)
- The likely result of the data breach
- What you have done, or plan to do, to deal with the breach
If you fail to comply with this GDPR ruling, you could receive a fine of the highest of either up to €10,000,000 or 2% of your global annual turnover of the preceding financial year.
Want to access this guide?
Already have a Farillio account? SIGN IN
Get unlimited access to 100s of legal resources by signing up to Farillio today.
- Manage your legal documents online
- Well written legal templates by our partners
- Guides to help you understand law
- Legal help available every step of the way