Last updated: 21st May 2018
Breach Notification Procedure
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
This procedure is applicable to both data controllers and data processors.
All users (whether Employees, contractors or temporary Employees and Appointed Representatives and their advisers) of The Right Mortgage Limited are required to be aware of, and to follow this procedure in the event of a personal data breach.
3. Definition of a Personal Data Breach
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Personal data breaches can include:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission; and
- loss of availability of personal data.
In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
A breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage, all of which would result in a breach being reported.
4. Procedure – Breach Notification Data Processor to Data Controller
The firm shall report any personal data breach to the Data Protection Officer without undue delay. The Data Protection Officer will record this in the Internal Breach Register. Confirmation of receipt of this information is made by email.
5. Procedure – Breach Notification Data Controller to Information Commissioner’s Office (ICO)
The Data Protection Officer shall notify the ICO without undue delay, of a personal data breach.
The Data Protection Officer will assess whether the personal data breach is likely to result in a risk to the rights and freedoms of the data subjects affected by the personal data breach.
If a risk to the aforementioned is likely, the Data Protection Officer shall report any personal data breach to the ICO without undue delay, and where feasible not later than 72 hours. Where data breach notification to the ICO is not made within 72 hours, it shall be accompanied by the reasons for the delay.
The Data Protection Officer shall provide the following information to the supervisory authority:
- A description of the nature of the breach
- The categories of personal data affected
- Approximate number of data subjects affected
- Approximate number of personal data records affected
- Name and contact details of the Data Protection Officer
- Likely consequences of the breach
- Any measures that have been or will be taken to address the breach, including mitigation
- The information relating to the data breach, which may be provided in phases.
6. Procedure – Breach Notification Data Controller to Data Subject
Where the personal data breach is likely to result in high risk to the rights and freedoms of the data subject The Data Protection Officer shall notify the affected data subjects without undue delay.
The notification to the data subject shall describe in clear and plain language the nature of the breach including the information specified above.
Appropriate measures have been taken to render the personal data unusable to any person who is not authorised to access it, such as encryption.
The controller has taken subsequent measure to ensure that the rights and freedoms of the data subjects are no longer likely to materialise.
It would require a disproportionate amount of effort. In such a scenario, there shall be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
The ICO may where it considers the likelihood of a personal data breach resulting in high risk require the Data Protection Officer to communicate the personal data breach to the data subject.
7. Procedure – Reporting Personal Data Breaches to Professional Indemnity Insurers
Where the personal data breach is likely to result in redress becoming payable, details of the breach and the potential redress must be notified by The Data Protection Officer to the Professional Indemnity Insurer without undue delay.