GDPR Data Breach
This section gives advice on what action to take should you suspect there has been a data breach of personal data.
Introductory statement on the General Data Protection Regulations (GDPR)
A Data Breach is described in the GDPR Article 4 (12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised. disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Not all personal data breaches need to be notified to a supervisory authority. The notification obligations under the GDPR are only triggered when there is a breach of personal data which is likely to result in a risk to the rights and freedoms of individuals. If in doubt, ask.
A Data Breach can be offline (paper records being dumped or taken) or online (theft or loss of a PC, tablet, mobile phone or hard disk, hacking or a cyber-attack).
Royal Mail is obliged to report any significant data breaches likely to result in a risk to the rights and freedoms of individuals to the Information Commissioner not later than 72 hours after having become aware of it, in accordance with GDPR Article 55.
Suspected Data Breach – what to do if you suspect your data is lost
1. Any suspected or realised data breach must be reported immediately to the IT Helpdesk (01246 282 555).
The IT Helpdesk will log the incident and forward it to the 3 relevant departments (Information Governance, Compliance and Security Operations) who will investigate and action as necessary.
2. The PiC must also be informed immediately if the data breach involves office machinery and/or a work computer.
If in doubt at any stage always call Central Postal Control (CPC)
Central Postal Control deals with issues on a regular basis and will be able to talk you through how to deal with any situation.