A personal data breach covers any situation where the confidentiality, integrity or availability of personal data has been compromised.It might involve malicious third parties, but breaches are often caused by negligent data handling or storage.
Article 4(12) of the UK GDPR defines a personal data breach as:
“a breach of security, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data”.
A personal data breach covers any situation where the confidentiality, integrity or availability of personal data has been compromised. It might involve malicious third parties, but breaches are often caused by negligent data handling or storage.
Organisations must ensure appropriate technical and security measures are in place to protect against data breaches, and such measures should be risk based.
The Information Commissioner’s Office (ICO) recommends that organisations implement practical measures to help manage data breach situations, such as:
- Having a personal data breach management plan, to identify and respond to a potential data breach
- Having a personal data breach log, to record all data breaches
- Undertaking regular data breach testing, to identify and remedy any system vulnerabilities, and
- Ensuring training for employees.
Recording data breaches
Organisations must record all data breaches, including:
- The facts surrounding the breach
- The effects of the breach, and
- The remedial action taken, such as investigating root causes and further training.
A personal data breach that is likely to result in a risk to individuals’ rights and freedoms must be reported to the Information Commissioner’s Office without undue delay, and in any event within 72 hours of becoming aware of the breach. In these cases, organisations must also promptly inform the individuals affected.
Compensation and fines
Individuals can claim compensation for financial losses or distress caused by a personal data breach.
The ICO has the authority to impose substantial fines. Fines can amount to £17.5m or 4% of the organisation's annual turnover, whichever is greater.
For more information or advice on data protection compliance, please contact Beverley Flynn or any member of the technology and commercial team.