In this HR Blast we focus on one specific area of the GDPR regulations: Reporting Data Breaches. You may have been hiding under a rock over the last few months – but if you haven’t, you will know that the GDPR will replace the current Data Protection legislation on 25th May this year, and there is an obligation on companies to get compliant!
Let’s start with a question … is the following scenario a data breach that you would need to report if you had made this error?
This week our MD stayed in a hotel (leisure, not business). On leaving she was advised her invoice would be emailed. An invoice was emailed just a few hours later but addressed to a man she did not know and the invoiced included his home address. Presumably her invoice had been emailed to someone else or perhaps her personal data had never left the hotel system.
A reportable data breach or not?
Under the GDPR, there is a mandatory breach reporting responsibility on all organisations that handle data (under the Data Protection Act it was simply advised, not a legal requirement).
From 25th May, you must:
- notify the ICO (in the UK) of certain types of data protection breaches.
- report such breaches without undue delay and within 72 hours of becoming aware of the breach, where feasible (even if you don’t have all of the details yet);
- where the breach poses a high risk of adversely affecting individuals’ rights and freedoms, notify the individual of the breach without undue delay;
- keep a full internal breach register. Organisations who don’t already have internal procedures for managing data protection breaches should consider adopting formal procedures.
Fines for breaching the GDPR could be up to 4% of annual worldwide turnover, or EUR 20 million, whichever is greater. In practice, fines will be issued according to a sliding scale and consideration would be given to the nature, gravity and duration of the breach.
So, do you know what a data breach is, and whether you’ll need to report it?
The ICO sets out that a personal data breach is, ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.’
Examples of data breaches include:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen i.e. USB, iPad, Laptops etc;
- alteration of personal data without permission; and
- loss of availability of personal data.
The ICO confirms that under the GDPR, when a personal data breach has occurred, you should try to contain it. You then need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms based on how serious and substantial these are, and how likely they are to happen. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, therefore you should document it.
So, what will you do? In our training we have 10 scenarios around data breaches. Here are just a couple of scenarios for you to consider to get the cogs turning! The first two we have answered for you, the other two you will have to work out yourself or book some training!
Your payroll provider emails confirmation of salary payments for the month. Your finance person is off sick but you have a colleague checking their emails just in case anything important comes in while they are absent. The colleague sees the payroll covering letter that raises an issue about one employee although the payroll report itself is password protected so they don’t see that.
Is it a breach? Will you report it?
This is unlikely to be a breach if the employee covering for the absent finance staff member has the authority to cover work in her absence and has signed a confidentiality agreement, and should not be reportable to the ICO as it is unlikely that the employee’s rights and freedoms will be at high risk of being adversely affected as they are unlikely to suffer any financial or material loss as a consequence.
Returning from a meeting with your company accountant, you find you have lost the memory stick containing quite a bit of employee personal information. You don’t know where you mislaid it. Your car? The train? Perhaps at home or dropped in the street? You don’t know if anyone might have found it. Perhaps it will turn up safe and sound tomorrow, hidden in the recesses of your bag.
Is it a breach? Will you report it?
This is highly likely to be a breach as it is the accidental loss of data in a form that could be accessed without authority by a member of the public, and you don’t know where it is (therefore it’s a complete loss of data). It would be reportable to the ICO and the individuals concerned because the data could be used to commit identity fraud and individuals are therefore likely to suffer financial loss or other consequences as a result of the breach.
In checking adherence to your IT policy you task your IT department with checking people’s website browsing history and also randomly access a number of files marked personal. One of these includes research into bisexuality. Another employee has been accessing websites with sexual content. A third regularly logs on to gambling sites. The IT manager sends you a full report which is copied in to one of her colleagues. Is it a breach and does it need reporting?
In doing an office clear out, you find a stack of printed CV’s and covering letters from a recruitment activity a year ago. You know the applicants will have expected their documents to have been disposed of and certainly not left lying around a back office for anyone to find.
Is it a breach and does it need reporting?
Need answers to these last two scenarios or just want to know more about the GDPR and what it means for you in practical terms, including what action to take next?
We offer GDPR support through:
- Half day training sessions for your HR team and line managers – delivered by our Jaluch team
- Train the trainer sessions and materials for your trainers to roll out Data Protection Training
- Data Protection Policies, sample Privacy Notices, Guidance, Letters, Forms etc. – available on DocsWizard
- Free breakfast seminars, subject to availability. Find out more.
- E learning to educate your managers and staff currently being developed too – register your interest with us now.
Want to talk through your options? Call us on 01425 479888.
The information contained within this article is for general guidance only and represents our understanding of employment and associated law and employee relations issues as at the date of publication. Jaluch Limited, or any of its directors or employees, cannot be held responsible for any action or inaction taken in reliance upon the contents. Specific advice should be sought on all individual matters.