By
Manuel Martinez
February 1, 2023
A data breach is not only costly for your organisation in terms of the time spent to rectify a breach and the reputational damage caused, but it can also be costly from a regulatory perspective when you fail to notify. As an SME, it is important that your organisation understands when to notify a data breach under the UK General Data Protection Regulation (GDPR), and to whom and how to notify it.
Not sure what counts as a data breach? Read our previous blog post below to find out!
10 Examples of SME data breaches and how to prevent them
When should data subjects be notified?
Communication of personal data breaches to data subjects is governed by Article 34 GDPR which states that your organisation should report a data breach without undue delay if there is "a high risk to the rights and freedoms of natural persons".
Recital 85 of the GDPR clarifies this to mean physical, material, or non-material damage to natural persons, if a breach is not addressed in a timely manner, such as:
The loss of bank details, the sharing of private information related to someone’s address or information that can allow someone else to steal an identity are all examples of risks to a person's rights and freedoms.
However, the Information Commissioner's Office (ICO) suggests that the threshold for reporting to data subjects is much higher than that of reporting to the ICO and this is partly because you may cause unnecessary worry if you notify data subjects of minor issues, especially when the breach is unlikely to cause a high risk to their safety or freedom.
In fact, too many notifications may cause data subjects to become complacent and disregard it when an important one asks them to act in securing their personal data rights.
Generally, the GDPR notes that notification to data subjects is not required when:
How to notify a data breach to data subjects
In case you do need to notify data subjects, the GDPR notes that the communication to data subjects:
When should the ICO be notified?
The threshold for reporting a personal data breach to the ICO is much lower than that of data subjects but this does not mean that every data breach needs to be notified. You should only notify if it poses a risk to people and the likelihood and severity of the risk is to people’s rights and freedoms, following the breach. After this assessment, if it’s likely there will be a risk then you must notify the ICO.
If you are reporting a breach, it should be reported to the ICO without undue delay and within the first 72 hours of the breach, starting from when your organisation becomes aware of it. Remember, a failure to notify the ICO of a relevant data breach may lead to a fine of up to EUR 10m or 2% of your annual global turnover, whichever is higher.
Click here for an assessment of whether you should report to the ICO.
How to notify a data breach to the ICO
Call the ICO on 0303 123 1113. Alternatively, if you think you have dealt with the breach appropriately, you can notify the ICO online by clicking on the image below.
Click the above to go to the ICO website to download the word document.
Below are a list of things to think about:
How to prevent a data breach
The Privasee dashboard is a quick and simple way for your organisation to prevent a data breach and in a worst case scenario, keep on top of data breaches. With features that help you record the time and date of a personal data breach and the person responsible for dealing with them, it can better help you manage your overall privacy risks with increased oversight.
Preventing data breaches need not be costly nor a headache with the right tools.
If you require assistance with notifying a data breach, please contact a member of the Privasee team at contact@privasee.co.uk and receive a free consultation.
Disclaimer
This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by publicly available sources such as the ICO.
Further information and Sources
https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/
Article 34 GDPR, Recital 85 GDPR: https://www.legislation.gov.uk/eur/2016/679/contents
*https://kyc-chain.com/how-to-identify-a-data-breach-and-report-it-quickly/
Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.