Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

One of the key responsibilities of data controllers (if not the most important) is to ensure that information about individuals is kept safely, securely and confidentially.

Overall, in terms of compliance for data controllers, this means they must:

  • have effective organisational and technical security procedures in place; and
  • instruct their staff to keep information securely stored in accordance with the procedures in place.

In more detail, the procedures put in place must prevent the following from happening to an individual’s data:

  • accidental or unlawful destruction;
  • accidental loss;
  • alteration;
  • unauthorised disclosure and access; or
  • any other unlawful form of processing.

To prevent organisations from having to put in place disproportionate security measures to protect the data they collect, with the associated cost, the Data Protection Act 2004 provides further guidance as to what are ‘appropriate organisational and technical security measures’.

First, an organisation must have regard to the most up-to-date technology available, but can balance the effectiveness of the most state-of-the-art measures against their cost.

Second, an organisation processing data must ensure the level of data security it has in place is appropriate (proportionate) to:

  • the risks represented by the processing;
  • the harm which might occur from one of the above actions taking place (ie, accidental loss); and
  • the nature of the data being protected.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Not as standard under the Data Protection Act 2004.

However, the Communications (Personal Data and Privacy) Regulations 2006, which apply to the providers of publicly available electronic communications services, provide that in the event of a breach that would adversely affect data subjects or subscribers, a service provider must inform both the individuals concerned and the Gibraltar Regulatory Authority (GRA), as soon as reasonably practicable and without undue delay.

The notification must contain:

  • a description of the nature of the breach;
  • the contact points where more information can be obtained; and
  • a recommendation of the measures that can be taken to mitigate the possible adverse effects of the personal data breach.

The only circumstance in which a service provider need not notify an individual is where it can demonstrate to the GRA that:

  • it has implemented appropriate technological protection measures; and
  • those measures were applied to the data which was subject to the breach.

Are data owners/processors required to notify the regulator in the event of a breach?

Yes, in respect of electronic communications service providers and where a breach would adversely affect data subjects or subscribers. When the service provider is notifying the Gibraltar Regulatory Authority of a breach, it must also include:

  • a description of the consequence of the breach; and
  • the measures proposed or taken by the provider to address the breach.

Click here to view the full article.