GDPR – Reporting a breach
The new data protection regulation (Data Protection 2018) means that we need to be aware of what the serious breaches of data protection are and when we need to report them. We also need to ensure that we know how to report a breach of data protection, and what we need to do after it has been reported.
What needs to be reported?
Any breach of personal data of a sensitive nature that is likely to cause detriment to the party involved needs to be reported. Given the nature of our work it is likely that any breach concerning our clients will be a breach of a sensitive personal data and will need to be reported. However, the ICO does not require every single breach to be reported and therefore a breach concerning supporters or volunteers may not need to be reported, as the data may not be sensitive. We will need to consider whether the data involved will cause detriment, for example bank details and national insurance numbers are not public information and could be used fraudulently.
Every data user is responsible for reporting any breach, however small, to the directors as soon as they are aware of it. This report should include full details of the incident, what sort of data has been involved, when it occurred and who is reporting it.
After we are made aware of a breach of data protection, we will investigate it within 24 hours. A decision will then be made by the data protection officer whether or not to report the breach to the ICO. If a breach is considered serious enough to report then we will need to provide the following information:
- What happened?
- When it happened.
- How it happened.
- How many people could be affected?
- What sort of data has been breached?
- What do have in place that could have stopped it?
- What have we done to help the people this affects?
- What have we learned?
- How can we stop similar breaches in the future?
How do we report a breach?
A breach should be reported to the ICO using the DPA security breach helpline on 0303 123 1113 (open Monday to Friday, 9am to 5pm).
Or, this can be done in writing using a DPA security breach notification form, which should be sent to the email address email@example.com or by post to the office address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
The ICO will then consider what the appropriate action is depending on the nature and effect of the breach.
When will we notify those involved?
When we become aware of a serious breach of personal data, we will endeavour to notify any data subjects who may be at risk within 48 hours of the reporting the breach to the ICO.
Less serious breaches that do not require reporting to the ICO will also be acknowledged and the data subjects will be notified as soon as possible.
Whenever we become aware of a breach of data protection we will investigate it fully and for more serious breaches appropriate disciplinary measures may be taken. We want to ensure that the same breach will never occur again.
‘Policies can be ratified at anytime if change to Government guidelines or not effective in practice’
Date policy ratified: 1/2/2018
Date of review: Directors meeting 11thJuly 2020