The GDPR and personal data breaches

Issued: Tue, 22 May 2018 12:29:00 BST

The General Data Protection Regulation (or GDPR) is almost here, coming into force this Friday 25 May.

Designed to take into account the significant changes in technology and the way personal data are used and shared, the GDPR gives additional rights and control to individuals on how their data is used. It also introduces the highly demanding 72 hour reporting requirement regarding the identification, investigation and reporting of personal data breaches.

The GDPR now requires organisations to report data breaches to the Information Commissioner’s Office (ICO) within 72 hours. Any breach or suspected personal data breach must be reported immediately to the University's Data Protection & Freedom of Information Office and be immediately contained and mitigated. When reporting an incident, it is important that as much information as possible is supplied in order to inform the investigation.

Personal data breaches are a major concern for those affected as well as a key area of action for the ICO. Breaches can take many forms, including

  • cyber incidents
  • data left in insecure locations
  • failure to redact data
  • failure to use the bcc option when sending email
  • loss or theft of unencrypted devices

However, by far the most common cause of personal data breaches are emails inadvertently sent to the incorrect recipient. It is important, therefore, to carefully check that recipient address details are correct, to be mindful that some email systems may automatically populate address fields based on previous communications and that the “recall” option available in some email systems rarely works and cannot be relied upon. Once an email is sent, it’s sent. Additional guidance on information security and email is available from IT Services.

Breaches may attract significant financial penalties and a failure to report a breach or failure to report in a timely manner may also result in an additional fine. The value of any fine imposed will take into account the behaviour and culture of the organisation. Organisations will therefore have the opportunity to influence the reduction of any potential fines by being able to demonstrate the steps taken to achieve compliance and the promotion of a culture of data protection.

The University has developed a data breach reporting flowchart, as well as a checklist of the information required when reporting a breach. Further guidance on this and other GDPR issues can be found on the University’s GDPR pages.