Personal data breaches (2024)

Table of Contents
At a glance In brief What is a personal data breach? What breaches do we need to notify the ICO? What information must a breach notification to the Information Commissioner contain? When do we have to tell individuals about a breach? What information should we tell individuals who have been affected by the breach? How do we notify a breach? What should we do to prepare for breach reporting?

At a glance

  • Part 3 of the DPA 2018 introduces a duty on all organisations to report certain types of personal data breach to the Information Commissioner. You must do this within 72 hours of becoming aware of the breach, where feasible.
  • If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
  • You should ensure you have robust breach detection, investigation and internal reporting procedures in place.

In brief

  • What is a personal data breach?
  • What breaches do we need to notify theICO about?
  • What information must a breach notification to the Information Commissioner contain?
  • When do we have to tell individuals about a breach?
  • What information should we tell individuals who have been affected by the breach?
  • How do we notify a breach?
  • What should we do to prepare for breach reporting?

What is a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

What breaches do we need to notify the ICO?

You only have to notify the ICO of a breach if it is likely to result in a risk to the rights and freedoms of individuals. If leftunaddressed such a breach is likely to have a significant detrimental effect on individuals. For example:

  • result in discrimination;
  • damage to reputation;
  • financial loss; or
  • loss of confidentiality or any other significant economic or social disadvantage.

In more serious cases, for example those involving victims and witnesses, apersonal data breach may cause more significant detrimental effects on individuals.

You have to assess this on a case by case basis and you need to be able to justify your decision to report a breach to the Information Commissioner.

See Also
Six data protection principles - Family CLICPrinciples of Data Protection | Data Protection CommissionPrinciplesMalaysia’s 7 Personal Data Protection Principles

What information must a breach notification to the Information Commissioner contain?

You must include:

  • a description of the nature of the personal data breach including, where possible:
    • the categories and approximate number of individuals concerned;
    • the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer (if you have one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures you have taken, or propose to take, to deal with the personal data breach and, where appropriate, of the measures you have taken to mitigate any possible adverse effects.

When do we have to tell individuals about a breach?

If a breach is likely to result in a high risk to the rights and freedoms of individuals, you must inform those concerned directly without undue delay.

A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO.

The duty to tell an individual about a breach does not apply if:

See Also
Penalties

  • you have implemented appropriate technical and organisational measures which were applied to the personal data affected by the breach (for example the data has been securely encrypted);
  • you have taken subsequent measures which will ensure that any high risk to the rights and freedoms to individuals is no longer likely to materialise; or
  • it would involve disproportionate effort.

Where a communication of a breach would involve disproportionate effort, you must make the information available to individuals in another, equally effective way, such as a public communication.

You may restrict the information, either wholly or partly, that you provide to individuals affected by a breach under certain circ*mstances. This is when doing so is a necessary and proportionate measure:

  • to avoid obstructing an official or legal inquiry, investigation or procedure;
  • to avoid prejudicing the prevention, detection, investigation or to prosecution of criminal offences or the execution of criminal penalties;
  • to protect public security;
  • to protect national security; or
  • to protect the rights and freedoms of others.

What information should we tell individuals who have been affected by the breach?

You must give individuals information including:

  • a description of the nature of the personal data breach;
  • the name and contact details of the data protection officer (if relevant) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures you have taken, or propose to take, to deal with the personal data breach and, where appropriate, of the measures you have taken to mitigate any possible adverse effects.

How do we notify a breach?

You have to report a notifiable breach to the ICO without undue delay and within 72 hours of when you became aware of it. Part 3 of the DPA 2018 recognises that it will often be impossible for you to investigate a breach fully within that time-period and allows you to provide information in phases. If you cannot provide all the information required above within 72 hours, you must also explain reasons for the delay in your breach notification.

If the breach is sufficiently serious to warrant notification to the public, you must do so without undue delay.

Failing to notify a breach when required to do so can result in a significant fine up to£8.7m or 2 per cent of your global turnover.

To notify the ICO of a personal data breach, please see our pages on reporting a breach.

What should we do to prepare for breach reporting?

You should make sure that your staff understand what constitutes a personal data breach, and that this is more than a loss of personal data.

You should ensure that you have an internal breach reporting procedure in place. This will help decision-making about whether you need to notify the Information Commissioner or the affected individuals.

In light of the tight timescales for reporting a breach, it is important to have robust breach detection, containment, management and mitigation policies and procedures in place.

Personal data breaches (2024)
Top Articles
Almost 75% of Americans Have Financial Regrets
Worm | Segmented, Annelid, Invertebrate
It's Official: Sabrina Carpenter's Bangs Are Taking Over TikTok
Craigslist Monterrey Ca
Promotional Code For Spades Royale
Valley Fair Tickets Costco
Erika Kullberg Wikipedia
Wannaseemypixels
Nikki Catsouras Head Cut In Half
Jesus Revolution Showtimes Near Chisholm Trail 8
12 Best Craigslist Apps for Android and iOS (2024)
Nexus Crossword Puzzle Solver
Nier Automata Chapter Select Unlock
Simpsons Tapped Out Road To Riches
Mzinchaleft
Unterwegs im autonomen Freightliner Cascadia: Finger weg, jetzt fahre ich!
E22 Ultipro Desktop Version
Fraction Button On Ti-84 Plus Ce
Zoe Mintz Adam Duritz
Why Is 365 Market Troy Mi On My Bank Statement
Curver wasmanden kopen? | Lage prijs
Drift Boss 911
zom 100 mangadex - WebNovel
Anonib Oviedo
Piedmont Healthstream Sign In
Watson 853 White Oval
Pokémon Unbound Starters
Reserve A Room Ucla
Dentist That Accept Horizon Nj Health
Metro By T Mobile Sign In
Colin Donnell Lpsg
UPS Drop Off Location Finder
Whas Golf Card
Blackstone Launchpad Ucf
Blue Beetle Movie Tickets and Showtimes Near Me | Regal
The Boogeyman Showtimes Near Surf Cinemas
Academic important dates - University of Victoria
Priscilla 2023 Showtimes Near Consolidated Theatres Ward With Titan Luxe
Bartow Qpublic
The Listings Project New York
Seven Rotten Tomatoes
Owa Hilton Email
Hk Jockey Club Result
Brother Bear Tattoo Ideas
Chubbs Canton Il
Movie Hax
Human Resources / Payroll Information
The Average Amount of Calories in a Poke Bowl | Grubby's Poke
Shiftselect Carolinas
Erica Mena Net Worth Forbes
99 Fishing Guide
Latest Posts
Discord bot commands not working
How to Cut Your Auto and Home Insurance Bills This Year
Article information

Author: Clemencia Bogisich Ret

Last Updated:

Views: 6494

Rating: 5 / 5 (80 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Clemencia Bogisich Ret

Birthday: 2001-07-17

Address: Suite 794 53887 Geri Spring, West Cristentown, KY 54855

Phone: +5934435460663

Job: Central Hospitality Director

Hobby: Yoga, Electronics, Rafting, Lockpicking, Inline skating, Puzzles, scrapbook

Introduction: My name is Clemencia Bogisich Ret, I am a super, outstanding, graceful, friendly, vast, comfortable, agreeable person who loves writing and wants to share my knowledge and understanding with you.