Reporting data breaches – a guide for HR teams

28 / 06 / 2018

Having spent weeks or even months making your HR processes, systems and documents GDPR-compliant, you will realise that there is no let-up and that the focus of your efforts will now extend to dealing with data breaches.

What is a data breach under GDPR?
Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Can a breach be “internal” e.g. where personal data never leaves the organisation but is accidentally shared internally?

Yes. For example, if an employee’s health records were accidentally sent to another employee, that would amount to a data breach.

Do we need to record details of all breaches?

Yes, you have an obligation to do so under GDPR, whether or not the breach is reportable.

In any event, by analysing and recording the causes, extent and impact of the breach and documenting the organisation’s response to it, you should be in a better position to persuade the ICO and any affected parties that you have reacted appropriately.

We can help you to put in place a detailed risk assessment process and documentation.

Which breaches must be reported to the Information Commissioner’s Office?

Any breach that is likely to pose a risk to any person’s rights and freedoms. This is a very wide definition that requires the exercise of judgement in each case, but also a full understanding of the circumstances of the breach, which is why a detailed risk assessment process is so important.

What is the time limit for notifying the ICO?

You must notify without delay, and not later than 72 hours from becoming aware of the breach.

Should we notify the ICO even if our internal investigations are not complete?

Yes, that is advisable. The GDPR allows you to provide the necessary information in phases if necessary.

What information do we have to give to the ICO when notifying a breach?

The GDPR requires you to provide:

  • a description of the nature of the personal data breach including, where possible:
    • the categories and approximate number of individuals concerned; and
    • the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
    • a description of the likely consequences of the personal data breach; and
    • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

This is why you must have a good internal system for recording the nature of the breach and your response to it.

Do we also need to tell affected individuals?

Yes, if there is a “high” risk to their rights and freedoms. Again, this requires an exercise of judgement based on a complete understanding of the circumstances.

In the HR context, if another employee’s data is the subject of the breach, you should consider your other legal obligations to them in addition to those under the GDPR.

Should we also notify our insurers?

Yes, without delay. We are aware of cases where an organisation has preferred to complete an internal investigation first, before notifying insurers, and has found itself to be in breach of its insurance policy conditions.

Should we have a DPO in order to deal with breaches?

One of the advantages of having a DPO is that they act as point of communication between your organisation and the ICO, particularly in relation to breaches.

We provide an outsourced DPO service through our ProDPO business.

What are the penalties for failure to notify a breach?

They are significant: a fine of up to 10 million Euros or 2 per cent of your organisation’s global turnover. In addition, the ICO can impose other corrective measures.

For more information, please contact us today.

For further information please contact Blair Adams or James Castro-Edwards.