What Constitutes a Data Protection Breach by an Employee?

  • Data Protection
Peninsula Group Limited - An employer exploring a data breach
Peninsula Logo

Peninsula Group, HR and Health & Safety Experts

(Last updated )

What should you do if an employee makes a data protection breach? GDPR laws mean it's potentially a serious issue. This guide explains how to handle the situation.

As your online presence increases, so does the risk of people stealing your personal data.

And if you're an employer, your business needs secure data protection. Otherwise, you're at high risk of suffering legal action, GDPR fines and reputational damage.

Personal data breaches are a threat to your business. Which is why you must follow the law accordingly.

In this guide we’ll explain what GDPR is, how to avoid a data breach, and how to comply with UK law.

What is GDPR?

GDPR stands for general data protection regulation. And aims to give more control to individuals when it comes to their data.

The law came into effect in 2018. And applies to EU countries, as well as the UK.

Who does GDPR apply to?

Every business should follow GDPR.

GDPR laws outline three personal data factors to consider:

●      Data subjects: This is who the personal data relates to.

●      Data controllers: This is the individual or business who decides what data to collect and how.

●      Data processors: This is the individual or business who processes personal data for the controller.

The Data Protection Act 2018

The Data Protection Act is a UK law that controls how businesses and organisations manage your personal data.

Organisations, businesses, and even the government have a legal responsibility to protect personal data.

Any person or employer storing this data should follow the data processing principles. Which you can find under the Data Protection Act.

Data processing principles

Data processing principles are a set of strict rules. They act as a guide to storing personal and sensitive personal data safely.

The seven data processing principles are as follows:

Compliance with these principles is a good start for those storing personal data. And those looking to implement strong data protection practices.

What rights do data subjects have?

Under UK GDPR, data subjects have certain rights in regards to how third party services process and control their personal data.

These rights include:

What is personal data?

Personal data refers to information about an individual. Information about companies, organisations or public authorities is not personal data.

The law states that stored personal data cannot:

Examples of personal data include:

Identifiable factors

An identifiable factor is a recognizable detail of a person. If processed data includes an identifiable factor, this breaches GDPR.

Identifiable factors include:

The Data Protection Act provides a list of identifiers should your business need to refer to it.

What does GDPR compliance look like?

You should ensure you are GDPR compliant when dealing with the personal data of employees and customers. To be compliant with GDPR, you should ensure you follow certain practices.

This includes:

Let's explore these examples in more detail.

Obtaining consent

You should obtain consent when storing personal data.

Lawful consent will:

For example, an employer may want to obtain consent from their customers for marketing purposes.

To do this, they may send an email giving customers the chance to confirm their marketing preferences. This will give them the option to opt-in or out to future marketing communication.

Lawful data processing

To process personal data, you must have a valid lawful basis. You do not have a lawful basis for processing if there is another reasonable and less intrusive way to achieve the same result.

There are six lawful bases under UK GDPR.

These include:

A data subject can override these bases if the information is special category data.

Processing special category data

Special category data is also known as sensitive data. Processing special category data has a higher risk than any other type of data.

Examples include:

Because of its sensitivity, special category data needs to be processed and collected differently. This means following certain conditions.

These conditions include:

Secure data protection

There are a number of security measures you can take as an employer to maintain data protection.

These include:

Let's explore these measures in more detail.

GDPR compliance audit

In order to see how GDPR compliant your business is, you should conduct a GDPR audit.

An audit will assess which parts of your business aren't following GDPR rules. And reveal the status of your current information security. It will also identify where there is risk of a personal data breach.

A UK GDPR team or third party can conduct the audit. And provide an objective view of your company's data processing. They will also provide guidance on how to improve your company's GDPR compliance.

GDPR audits are not a 'one-off' practice however, and your business should schedule one every year.

Appoint a data protection officer

The role of a data protection officer (DPO) is to make sure that data processing is done in accordance with GDPR.

They are in charge of the decision making behind data safety measures. And must manage legal compliance, as well as liaising with the official authority.

A DPO will advise on how to improve your company's data protection and processing policies. As well as implementing their own organisational measures to keep personal data protected.

They can also answer questions from employees about their processing activities and data security.

Any organisation can hire a DPO, but your company should appoint one if they:

Should a personal data breach occur, a DPO will act without undue delay.

What is a personal data breach?

A personal data breach is an incident that leads to the accidental or unlawful loss of personal data.

This includes the alteration and unauthorised disclosure of personal data. As well as unauthorised access to a person's information.

Under UK GDPR, if a security incident takes place at work, the individual or business needs to establish whether a breach has occurred.

The effect of a personal data breach

Personal data breaches have a negative impact on the natural persons targeted. And can result in many possible adverse effects.

These effects include:

Responding to the breach in a timely manner will mitigate these adverse effects. Especially if you have a breach procedure in place.

Managing a personal data breach

If your company suffers a security incident, don't panic. Instead focus your attention on reducing the adverse effects of the personal data breach.

As an employer, there are a number of steps you need to take.

These include:

Let's discuss how these steps work in more detail.

Establishing the facts of the breach

If your company receives a personal data breach notification, you should work out what actually happened. This means finding out the who, what, where, why and how.

To work this out, you need to ask the following questions:

You should also consult the data processor and data controller within your business. They will be able to shed light on the cause of the breach. As well as disclosing the personal data records concerned.

The DPO or other contact point at your business should also be aware of the personal data breach. And have a response plan to mitigate the possible adverse effects.

Containing the breach

Next, it's important you contain the personal data breach as much as possible.

This includes:

For example, if you sent an email with confidential contact details about an individual to the wrong person, you could ask them to delete it.

But, more severe personal data breaches require remedial action.

Reporting the breach to the ICO

The law requires you to report a breach to the ICO.

The ICO is the UK's data protection regulator and supervisory authority for GDPR compliance. They can investigate the incident and determine who is at fault.

The report must include the approximate number of data subjects affected by the breach. As well as the type of data breached.

Ensure you report the incident without undue further delay. The report should be done within 72 hours of the data breach.

Conduct a risk assessment

If your company receives a personal data breach notification, you will need to take remedial action to work out if the breach is low or high-risk.

This means considering the following elements:

If you want more information about conducting a risk assessment, check out our guide.

Contact the people affected

Your company may suffer a personal data breach that jeopardizes the rights and freedoms of individuals.

If so, UK GDPR states you should inform them without undue delay. This includes advising them of the immediate risk of the breach.

This will help them take steps to protect themselves from the consequences.

Is it a criminal offence to breach GDPR?

A GDPR breach is a criminal offence.

No matter how well you manage a personal data breach, it is still GDPR infringement. And non-compliance means your business could face criminal action.

Examples of criminal action include:

Let's explore these examples further.

GDPR fines

The ICO may issue a fine if a business breaches GDPR.

Under the UK law, there are two tiers of administrative fines a business can receive for breaching GDPR.

These are:

The ICO conducts a discretionary and case-by-case basis when issuing fines.

Data subjects taking legal action

If your business suffers a personal data breach, the data subjects affected may want to take legal action. These subjects may include employees, customers and business partners.

Subsequently, your business may endure reputational damage as a result. And, this could mean more financial loss for your company, if you lose clients and customers as a result.

It may also result in lack of employee trust. Employees may not feel their information is secure due to the personal data breach.

This may increase employee turnover until you implement proper security measures.

Enforcement action

In more severe cases, breaching GDPR could even result in a prison sentence for company directors.

This is typically the case if the business has lost the data due to security weakness. Or, if data has been stolen from an employee within the business.

Get expert advice from Peninsula

As an employer, you should have a safe approach when storing the personal data of your clients, customers and workers. Personal data includes contact details, employment information, or medical records.

Even someone visiting your website can provide you with their information, and you're responsible for keeping that data safe.

If you don't have a safe approach in place, your business may suffer a large data breach, which can mean losing customers, as well as a financial loss from GDPR fines.

Our teams provide 24/7 HR advice which is available 365 days a year. We take care of everything when you work with our HR experts.

Want to find out more? Contact us on 0800 028 2420 and book a free consultation with an HR consultant today.

FAQs

Got a question? Check whether we’ve already answered it for you…

Try Brainbox for free today

When AI meets 40 years of Peninsula expertise... you get instant, expert answers to your HR and Health & Safety questions

Sign up to our newsletter

Get the latest news & tips that matter most to your business in our monthly newsletter.