GDPR - is everyone struggling with breach notification?
The GDPR has introduced a mandatory breach notification procedure for organisations that suffer certain security breaches that leads to the accidental or unlawful destruction (or loss or disclosure) of personal data. We discussed the headline facts in a recent article.
But it is not just column inches that are being filled here. Between May and June this year, the ICO had to deal with an almost 300% rise in breach notifications. Given the wide definition of “personal data security breach” plus the difficulty in analysing whether the breach is a notifiable one or not (this depends on risk of harm to individuals) plus the rather heavy potential penalties for getting that analysis wrong, it is not surprising that organisations are erring on the side of caution in deciding to report breaches.
It also seems that, despite the long lead time in the run-up to GDPR, many organisations have failed to prepare for breach notification. Stewart Room, global data protection lead at PwC explains: “We had some very challenging experiences, with new customers struggling with GDPR requirements for personal data breach disclosure. The past month has revealed the extent to which organisations are not properly prepared for data breach disclosure, with some organisations lacking procedures and processes, resulting in people being unsure about what needed to be done, who should do what and who was in charge.”
So the takeaways here are: have a data breach policy in place, make sure people know their roles and responsibilities, conduct regular training and make sure you can distinguish a reportable data breach from a non-reportable one.
For more information on this or any other matters related to GDPR please contact us. Breach notification requirements and details are included in our elearning package, produced in partnership with MeLearning. Find our more here.