What to do if you have a breach?

Author Image Nick Hunt Technical Manager, Specialist Business Support
1 minute read
Last updated on 23rd May 2018

Overview

A GDPR breach is defined as “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or personal data transmitted, stored or otherwise processed”.
If a breach happens, what do you need to report?

A GDPR breach is defined as a…

“Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or personal data transmitted, stored or otherwise processed”

If a breach happens, you will need to take control and report it: 

  • If you’re a data processor, you’ll need to inform the controller

  • If you’re a controller, then you’ll need to inform the regulator (ICO)

  • If you’re a controller and there's a high risk of harm to a data subject, you’ll need to let them know.

As a data processor:

You’ll need to let the controller know what’s happened without any undue delay, as soon as you know a breach has taken place.

As a controller, you’ll need to let the regulator know:

  • This has to happen without an undue delay and within 72 hours, unless there’s justification not to

  • If the breach is likely to cause the data subject form of harm. If not, you’ll be exempt from this requirement.

As a controller, you’ll need to let the data subject know:

  • If there’s a high risk of harm, such as identity fraud etc.

  • Without any undue delay.

There are some possible exemptions where a communication to a data subject may not be necessary:

  • Where the data is unintelligible
  • Any high risk is negated by any measures already taken
  • Any notification is likely to have a disproportionate effect

To find out more about how to identify, report and manage breaches, visit the ICO website.

Labelled Under:
Government Regulation GDPR

© Prudential 2020