A data breach is a very serious thing. The implications can be severe. If someone within your organisation screws up there is one thing you need to be absolutely clear about.
THEY MUST TELL YOU!
You need to make sure that people are both empowered and encouraged to report data breaches.
If you operate your business with a punitive or blame culture it is less likely that people will report breaches. So make sure you don’t shoot the messenger and that the messengers understand they will not be shot.
If people are scared to tell you they might cover up a data breach. Remember, you are required to report data breaches to the ICO. If they are serious enough, you may also need to tell the private individuals involved so that they can take steps to protect themselves.
A cover up could result in real harm being visited upon the Data Subject. And if that happens they might be motivated to take legal action against you.
Data breaches should really be reported to the Data Controller. If you are the responsible director of your company, this means you. You may want to put a small team around you consisting of someone who knows about the process, someone who knows about GDPR (your DPO if you have one) and anyone else you think appropriate.
First of all you need to identify if you really do have a breach.
If there is a breach, you only need to report it if there is a risk to the rights and freedoms of individuals.
If there is a high risk to the rights and freedoms of individuals, you need to report it to those affected too.
– The nature of the personal data breach including, where possible:
— the categories and approximate number of individuals concerned; and
— the categories and approximate number of personal data records concerned;
– The name and contact details of the Data Protection Officer (if your organisation has one) or — other contact point where more information can be obtained;
– A description of the likely consequences of the personal data breach; and
– A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.
Source: Information Commissioner’s Office, Overview of the General Data protection Regulation (GDPR) 17th August 2017, licensed under the Open Government Licence
As a Data Controller you will be registered with the ICO by the time 25th May 2018 arrives. To be clear you need to register, the ICO isn’t going to come along and invite you to register.
Your registered status with the ICO means that they know who you are.
Reporting a data breach can be as simple as sending an email to the ICO. It is not a convoluted process by any means. You will probably be able to report on the ICO website. Just tell them you have a data breach, when it occurred, whom it affects and what you are doing about it.
Their response is likely to be, “Ok thanks.”
If there are more serious implications I imagine the exchanges between you and the ICO will become a little more involved.
At time of writing the ICO is preparing an online portal for managing registration and reporting. So you will be able to report your data breach using this in the future.