The General Data Protection Regulation (GDPR) came into effect in Ireland on 25 May 2018.
One of the key legal obligations employers must comply with under GDPR relates to how to handle a data breach or data protection breach.
If you’re looking for assistance with a data protection issue, or any other HR matters, get in contact for immediate assistance: 0818 923 923.
Or if you prefer, fill in a contact form to receive a callback.
What is a data breach?
Personal data is any information relating to an identified or identifiable individual. Your payroll data is likely to contain the names and addresses of your employees for instance. This information would constitute personal data.
Under GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Personal data breaches tend to be either accidental or malicious. Employees can send emails to the wrong address or your organisation could be the victim of a phishing attack that seeks to gain access to personal data processed by your business.
If you’re wondering is ransomware a data breach, the answer is it likely is. Even if your organisation faces an attack with malicious software, the criminal’s illegal use of your company’s data may pose a risk to the rights of personal data subjects whose information you hold.
Either situation is a GDPR data breach that requires you to take action.
Who do you report a data breach to?
GDPR introduced a requirement for employers to report personal data breaches to the Data Protection Commissioner (DPC) where the breach represents a threat to the affected individuals.
If a data breach is likely to constitute a high-risk to the affected individual, those individuals must also receive notification without undue delay.
When do employers need to report a data breach?
Employers that process personal data are obliged to notify the DPC of any personal data breach. Ireland’s Data Protection Act 2018 states that unless data processors can demonstrate the personal data breach is, "Unlikely to result in a risk to the rights and freedoms of natural persons." So, the data breach must be notified to the DPC.
Where employers do become aware of a personal data breach that results in any risk to the rights and freedoms of data subjects, they must make a notification to the DPC "without undue delay" or "as soon as possible" and not later than 72 hours from when the employer became aware of the breach.
Assess the level of risk posed by data breaches
Best practices to prevent data breaches dictate that you have a system in place to record how and when you become aware of personal data breaches and how you assess the potential risk posed by data breaches.
What should a notification to the DPC contain?
The DPC has a notification form on its website. A notification must at least contain:
- The nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
- The name and contact details of the data protection officer (DPO) or other contact point where more information can be obtained.
- Describe the likely consequences of data breach.
- Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The DPC recommends that employers include information on how and when they become aware of the personal data breach, along with an explanation for any delay, if applicable.
The business impact of data breaches
Under GDPR, the DPC is authorised to impose fines on employers. Since GDPR came into effect, sanctions have increased and administrative fines have been introduced.
The DPC may impose fines of up to 4% of annual global turnover or €20 million, whichever is greater.
For less serious breaches, employers face fines of up to 2% of their annual global turnover or €10 million, whichever is greater.
Fines are proportional to the “nature, gravity and duration of the infringement”. Failure to comply with the new requirements of GDPR poses a serious financial risk to businesses.
Claims for compensation under GDPR
Harms that data subjects may suffer under GDPR are:
"Physical, material or non-material damage to natural persons, such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protection by professional secrecy, or any other significant economic or social disadvantage to the nature person concerned.”
Since the introduction of GDPR, data protection actions may include data breach compensation claims for stress and emotional suffering. Before GDPR, only financial or material loss could be recovered when claiming compensation for breach of data protection act rules.
How to avoid claims
The best way for employers to avoid claims is to put appropriate procedures in place to ensure compliance with GDPR. Having strong procedures in place that demonstrate that your organisation complies with data breach guidelines will be the best way to defend any data protection claims.