Employers must now report any data breaches to the ICO within 72 hours of the organisation becoming aware of it.
Reporting data breaches
Unlike the previous regime, this has now become a mandatory requirement and employers must also inform any employees of the breach. However, it is not necessary to report every breach and only those that are likely to affect the rights or freedoms of the individual, for example by risking identity theft, discrimination or financial loss.
Within the breach notification, employers must state what has happened, why and how the breach occurred and how you are rectifying the situation and protecting against the breach happening again in the future.
Under GDPR, the ICO has many powers of enforcement, including investigative powers, the ability to make compliance orders and imposing financial penalties.
Fines for data breaches
There has been much concern about the fines that can be imposed and under GDPR, they are described as those that are ‘effective, proportionate and dissuasive,’ being up to €20 million or 4% of the organisation’s global turnover, whichever is higher. The ICO has confirmed, however, that these top end fines will be rare and reserved for only the most egregious breaches.
What should HR professionals do?
- Ensure you have policies and processes in place that ensure data breaches are avoided in the first instance where possible and responded to in line with GDPR timescales
- Ensure records of all data breaches are kept. It would be good practice keep an internal record of even the less serious breaches that do not require notification to the ICO
- Liaise with IT teams to implement any technical measures to protect personal data