Firstly, what is the GDPR?
The General Data Protection Regulation (GDPR) came into effect in 2018 and unifies the rules for processing personal data by private and public companies. The regulation aims to ensure the protection of personal data across all industries. The principles for the processing of personal data under the GDPR are:
- To do so lawfully
- Fairly
- Be completely transparent on how data will be stored, processed, and used
- Have a clear purpose for using the data
- Keep personal data storage to a minimum as much as possible
- Be accurate with what data you need and don’t collect unnecessary information
- Don’t store data for longer than you need it and delete information safely
- Have integrity and do everything you can to protect personal data
- Be accountable for your actions
So, what counts as a breach of GDPR?
There has been a lot of confusion surrounding what can be classed as a breach of GDPR and what can’t be. In the GDPR a personal data breach is defined as ‘a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.’ To explore this further personal data breaches can be organised into three categories:
- Confidentiality breach – where there is an unauthorised or accidental disclosure of or access to personal data. This kind of breach is most common with patients’ records at medical centres and hospitals.
- Availability breach – where there is an accidental loss of or access to or destruction of personal data. An example of this would be the sort of problem that would arise after a cyber attack that prevented access to and/or destroyed records.
- Integrity breach – where there is unauthorised or accidental alteration of personal data.
A data breach could possibly involve all three categories depending on the nature of the circumstances.
How has the definition of “personal data” changed?
When a company is dealing with business transactions in the past it could have been assumed that personal data strictly refers to account or ID numbers, as well as addresses and dates of birth. Whilst this type of data should still be kept secure the GDPR has expanded the definition of personal data.
Now, personal data is related to “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”. This means that social, mental, economic, cultural, and even genetic information will now be considered personal data that is to be protected by GDPR requirements.
What is the penalty for a GDPR violation?
The national supervisory authorities are required by the GDPR to impose certain warnings or fines on data protection offences. Any person who believes that the processing of their data personal data is being done unlawfully has the right to lodge a complaint with the ICO (Information Commissioner’s Office).They can then conduct an investigation into the security measures at that organisation and the degree to which they were at fault and impose a fine based on their findings.
How long does a company have to report a breach of GDPR?
Whether the cause is a cyber-attack, software errors, hardware failure or human error all companies are obliged under the GDPR to report any violation of the protection of personal data to a data protection supervisory authority. Article 33 of the GDPR states that notification of a breach of personal data protection by the responsible party must be made to the competent supervisory authority (ICO) straight away, and if possible within 72 hours of becoming known. If there is a delay in the obligation to register, a reasonable justification for the delay must be provided.
Also, it is important that there is a duty of documentation, so the person responsible must ensure all factors that led to the GDPR breach are clearly presented and documented. The better the company is prepared for a potential GDPR infringement the better the chances of only receiving a small fine or even just a warning.
Now you know what counts as a breach, how can GDPR violations be prevented?
A GDPR violation can happen to any company. The best way to minimise the risk of a breach in an organisation and the resulting consequences is to take preventative measures. As well as having a strong crisis communication strategy, it is advisable to appoint a data protection officer (in some cases this is mandatory). To be sure of the strength of data security in a business, and actively counteract a GDPR violation all applications and software products used by the company should be checked to ensure they comply with GDPR regulations.
What else do you need to know about GDPR and data breaches?
1) Companies need to provide a clear explanation for collecting personal data
Many companies collect a user’s data without their knowledge. Even if the user doesn’t mind there needs to be a clear explanation of how that data will be used. In accordance with GDPR principles, a person must give explicit consent for how their data is being used.
2) Victims must be alerted to any risk
If a breach does occur, the company must contact the affected individuals straight away. According to GDPR principles, it is not appropriate or sufficient to release news of a breach through a press release, on a website, or through the use of social media.
3) GDPR compliance can differ from one company to the next
Compliance has a lot to do with a company’s size, the personal data that is collected via internal communications methods like a team app, as well as the goods and services that are offered.
If you think you have experienced a GDPR data breach contact us today and we can put you in contact with data breach solicitors. They can investigate your data breach claim and see if you have a case that is worth pursuing. If you do have a strong case you could be entitled to compensation not just for the risk of having financial information exposed but for any emotional distress or anxiety you had about having your personal data compromised.