Following our expert GDPR guide for employers and an overview of employees' rights under the new legislation earlier this week, our experts now tackle the issue of how to report a data breach and the penalties your business may face for not complying the new legislation
Data breach notification requirements
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. It may include:
- Inappropriate access controls (not using passcodes) which allow unauthorised use;
- Equipment failure;
- Human error;
- Unforeseen circumstances such as fire/flood;
- Hacking
A breach must be reported within 72 hours of its discovery. Employers will be permitted to provide information in phases where a full investigation is not possible within that timeframe.
It is likely that employers will need to have a policy on reporting breaches under GDPR. All those within an organisation who are responsible for complying with GDPR will have to be aware of the circumstances under which a breach must be notified, and how it must be done.
In some cases, the individual whose data is involved in the breach must also be notified i.e. where the breach is likely to result in a high risk to the rights and freedoms of individuals.
Fine and penalties for non-compliance
A maximum fine of up to €10 million or 2% of global turnover (whichever is greater) can be applied where the following occurs:
- Failure to maintain records of processing activities;
- Failure to appoint a Data Protection Officer;
- Processing data without consent of the data subject;
- Failure to notify a breach to the supervisory authority or the data subject;
- Failure to carry out a data protection impact assessment in relation to high-risk processing of personal
A maximum fine of up to €20 million or 4% of global turnover (whichever is greater) can be applied where the following occurs:
- Failure to provide data subjects with transparent information in a concise, intelligible and easily accessible form for the existence of their rights under GDPR;
- Failure to demonstrate that the data subject has consented to the processing of his/her data;
- Failure to comply with the rights of access, rectification, and erasure;
The above lists are not exhaustive.
How to prepare
The Data Protection Commissioner’s “12 steps to being prepared” guidance sets out the following areas that employers should consider:
- Awareness – let the relevant people in your organisation know that the law is changing
- Information audit – check what data you hold and who you share it with
- Privacy information – check your current privacy notices and make a plan for change
- Individuals’ rights – check how you currently comply with individuals’ rights e.g. complying with a subject access request or deleting personal data
- Subject access requests – plan how you will make changes to the process when the new law is here
- Lawful basis – check you have a lawful basis for processing data. Employers who process data for employment purposes are likely to be able to rely on the lawful basis of “performance of a contract” for most data processing, but potentially not all processing
- Consent – review how you obtain consent for processing data
- Children – reviewing procedures for verifying ages and obtaining parental/guardian consent (not likely to have a great impact on the area of employment)
- Data breaches – review how you would notify a breach
- Impact assessments – consider how to implement data protection impact assessments
- Data Protection Officer – do you need a DPO? Who will ensure your compliance with GDPR?
- International – If you operate in more than one member state, determine a lead data protection supervisory
If you have any questions in relation to GDPR, please contact our expert employment law advisors on the 24 Hour Advice Service on 0818 923 923