Recently I was asked about a personal data breach and what action should be taken. The query prompted me to focus this legal update on such occurrences. Personal data breaches are not a subject matter that we discuss every day, so it is very important for our members to be reminded of their responsibilities.
The Information Commissioner’s Office (ICO) defines a personal data breach as:
“A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
Examples of personal data breaches are:
- Allowing unauthorised third parties access to your computer by leaving your device unlocked and/or unattended.
- Personal data being lost or stolen, i.e., leaving a company laptop/tablet on public transport.
- Sending personal data to the wrong person, such as an email containing a customer’s details being sent to the incorrect recipient.
If a security incident has taken place, you should quickly establish whether a personal data breach has occurred. If yes, promptly take steps to address it, including telling the ICO if required. You need to keep a log of any breaches, record the details, and actions taken.
Now, you are probably thinking most of us have, accidentally and/or unknowingly, sent emails to the wrong person. However, you must assess the risk of what was contained in the email and the potential of what the incorrect recipient will do with the information.
The focus of risk regarding breach reporting is on the potential negative consequences for individuals. Recital 85 of the UK GDPR explains that:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identify theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned”
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
If you have any concerns regarding personal data breaches, we suggest you visit the ICO’s website https://ico.org.uk/ Alternatively, you can always contact the Lawgistics legal helpline for advice and assistance.
Need help with keeping on track with FCA Regulation and Compliance? Partner with Automotive Compliance