What to do if you have a breach?

Author Image Nick Hunt Technical Manager, Specialist Business Support
1 minute read
Last updated on 23rd May 2018

Overview

A GDPR breach is defined as “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or personal data transmitted, stored or otherwise processed”.
If a breach happens, what do you need to report?

A GDPR breach is defined as a…

“Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or personal data transmitted, stored or otherwise processed”

If a breach happens, you will need to take control and report it: 

  • If you’re a data processor, you’ll need to inform the controller

  • If you’re a controller, then you’ll need to inform the regulator (ICO)

  • If you’re a controller and there's a high risk of harm to a data subject, you’ll need to let them know.

As a data processor:

You’ll need to let the controller know what’s happened without any undue delay, as soon as you know a breach has taken place.

As a controller, you’ll need to let the regulator know:

  • This has to happen without an undue delay and within 72 hours, unless there’s justification not to

  • If the breach is likely to cause the data subject form of harm. If not, you’ll be exempt from this requirement.

As a controller, you’ll need to let the data subject know:

  • If there’s a high risk of harm, such as identity fraud etc.

  • Without any undue delay.

There are some possible exemptions where a communication to a data subject may not be necessary:

  • Where the data is unintelligible
  • Any high risk is negated by any measures already taken
  • Any notification is likely to have a disproportionate effect

To find out more about how to identify, report and manage breaches, visit the ICO website.

Labelled Under:
Government Regulation GDPR

"Prudential" is a trading name of Prudential Distribution Limited. Prudential Distribution Limited is registered in Scotland. Registered Office at Craigforth, Stirling FK9 4UE. Registered number SC212640. Authorised and regulated by the Financial Conduct Authority. Prudential Distribution Limited is part of the same corporate group as the Prudential Assurance Company. The Prudential Assurance Company and Prudential Distribution Limited are direct/indirect subsidiaries of M&G plc, a company incorporated in the United Kingdom. These companies are not affiliated in any manner with Prudential Financial, Inc, a company whose principal place of business is in the United States of America or Prudential plc, an international group incorporated in the United Kingdom.