What to do if your company has a personal data breach?

What is a personal data breach?

A personal data breach occurs when data has been accidentally or unlawfully:

  • missing
  • destroyed
  • changed
  • not updated
  • shared.

We already know from experience that the most common reasons for violating the GDPR/UK GDPR are human error and cyber attacks.

However, the event that led to the violation was not always culpable or premeditated.

Simple inattention when sending an e-mail that goes to the wrong person, accidentally destroying documents with personal data, losing the pendrive on the way home or simply not logging out of the computer while away from the office can result in a serious breach with consequences for both the company and the subject of personal data. .

Since personal data protection law involves a presumption of guilt that burdens the data controller in the event of a breach, it is worth knowing what to do if something goes wrong.

What to do if a violation is found (or suspected)?

First of all, you should have a Policy in your company documentation that precisely specifies the procedure to be followed in the event of a violation of the GDPR/UK GDPR (Data Breach Notification Procedure) and a register of violations (Data Breach Records).

These documents are mandatory for every company in the UK.

In the first one, you should find predetermined instructions on what to do in the event of a violation, while the second one is used to record any questionable situations – and you should wish it to remain empty forever.

In accordance with the law and your policy, first notify your Data Protection Officer (DPO), if you have appointed one, or the person who is responsible for the protection of personal data in your organization.

This person should investigate the suspected breach or breach in terms of its size (how many people are affected, how much personal data was breached), type (what data was breached: ordinary? sensitive?) and the likely effects of the breach and remediation options.

We are obliged to document such an analysis and enter it in the violation register.

If you decide that the violation will not pose a risk to people, you do not have to report it.

For example, this could happen if you accidentally deleted contact information, but it didn’t include passwords or financial information.

If the breach is more serious, you must report it to the Information Commissioner’s Officer (ICO) within a maximum of 72 hours of detecting the breach.

Additionally, if there is a high risk for data subjects, you must also inform them about it as soon as possible so that they have the greatest possible chance of protecting themselves from the negative effects of the breach.

You have 72 hours from the moment you find out about it to report the violation!

Consequences of the breach?

The consequences of a breach can be very serious both for the data controller’s companies and for the people whose data was breached.

Firstly, the company where the violation occurred is exposed to financial penalties.

Simply failing to report a breach when required could result in a fine of up to £8.7 million or 2% of the company’s total turnover.

However, for a violation, you may be fined a separate penalty (up to a maximum of £17.5 million or 4% of the company’s annual global turnover), the amount of which will depend both on the type and scale of the violation, your cooperation in the proceedings after its discovery, and on the correctness of the implementation of the protection. personal data in your company.

Remember that in the event of a breach, you must be able to demonstrate that you did everything in your power to prevent the breach from occurring.

The inspectors will pay attention to the presence of UK GDPR documentation in your company, employee GDPR training, cyber security, etc.

In addition to financial penalties, the personal data subject who suffered a breach has the right to demand compensation from the company.

Of course, the company’s reputation will also suffer in the event of serious and large violations.

If you are the owner of a website or a mobile application and want to create a Privacy Policy that will comply with the law – our website: “Online Business” may be useful.

What if your co-worker caused a violation?

When processing personal data, we often deal with many entities that have access to the same data.

For example, your company outsources marketing, accounting and recruitment services to another company. We are then dealing with a situation where there is a data controller (the main company that decides on personal data) and a processing entity (a company that works with the entrusted data in a given scope, e.g. an accountant, photographer, HR).

If a violation in such a situation occurs on the part of the processor, the controller will be penalized proportionally together with its subcontractor.

In such a situation, also remember that the 72-hour period will start from the moment the processing entity learned about the breach, and not from the moment it notified you; and also that a “Processing Entrustment Agreement” should be previously concluded between the administrator and the processor. If there is no such agreement or clause on entrusting processing in the agreement between the companies, the administrator will be exposed to additional liability.

If you are the owner of a website or mobile application and you are not sure whether the Privacy Policy published by you is lawful – our service: “UK GDPR Consultation” may be useful.

Have a question?

Go to our service page if you need a consultation or other help related to UK GDPR

Our Service
Scroll to Top
Cookie Consent with Real Cookie Banner