Insurance Europe, the European Insurance and reinsurance federation, has issued a template for reporting data breaches to the Information Commissioner’s Office (ICO) under the General Data Protection Regulation (GDPR).
From 25 May 2018, companies will have to submit relevant information about a data breach to the ICO without undue delay and, where feasible, no later than 72 hours after having become aware of the breach. The information will include the nature of the breach, categories and approximate number of data subjects and of personal data records concerned, likely consequences and measures taken to address and mitigate the breach. The ICO has published guidance on how to respond to a data breach obligation here.
Insurance Europe explains that they developed the template as a possible way to meet this obligation. The template is divided into three sections:
- Personal details and information on the affected organisation (not to be shared with third parties);
- Details on the data breach incident in accordance with Article 33 of the GDPR, to be sent to the ICO, where feasible, no later than 72 hours after having become aware of the breach; and
- A section to be completed following the 72 hour period when more information is available on the breach.
James Hutchinson, a Partner at Beale & Company specialising in cyber liability and GDPR, said:
Insurance Europe’s template is a useful tool for organisations preparing for GDPR compliance. It will be of particular interest to SMEs looking for a simple way to document and report to the ICO, without wasting time in the midst of an incident.
Having a breach response plan and guidance on how to notify the ICO is vital, but of equal importance is ensuring that the organisation has allocated responsibility for managing breaches to a dedicated person or team and that staff know how to escalate a security incident within the organisation to determine whether a breach has occurred.
A copy of the template and relevant guidance is available here.