The UK GDPR includes a requirements on those with obligations under the regulation to report certain types of personal data breaches to the ICO. Having a robust GDPR Breach Policy and Procedures in place is essential for continuity and to ensure compliance.
The ICO have published detailed guidance on Data Breaches, including timescales, reporting requirements and obligations.
Data Breach Template
A general definition of a personal data breach is any incident of security, lack of controls, system or human failure, error or issue that leads to, or results in, the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
The GDPR requires that adequate, effective and appropriate technical and organisational measures are put into place to ensure a level of security appropriate to the risks. Such measures should be detailed in a Data Breach Policy and can including (but are not limited to): –
- Pseudonymisation and encryption of personal data
- Restricted access and biometric measures
- Reviewing, auditing and improvement plans for the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Disaster Recovery and Business Continuity Plans
- Audit procedures and stress testing
- Regular data protection training programs for all employees
- Staff assessments and regular knowledge testing to ensure a high level of competency, knowledge and understanding of the data protection regulations and the measures we have in place to protect personal information
- Reviewing internal processes to ensure that where personal information is transferred, disclosed, shared or is due for disposal; it is rechecked and authorised for use