A personal data breach refers to a breach of security that has led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Example: A list of client details is accidentally attached to an email.
An organisation needs to have processes in place that tell individuals what to do in the case of a personal data breach. This will depend on the severity of the breach and the kind of personal data that has been involved.
In the event of a data breach an organisation is required to assess the severity of the breach. The main concern is to assess the potential for any negative consequences that could happen for an individual as a result of the breach. This assessment should also take into consideration whether any special category data was involved in the breach. If a decision is made not to report the breach then this decision must be justifiable and documented.
If the organisation determines that the breach could cause potential negative consequences then there two actions they must take:
- Report the breach to the ICO within 72 hours of its occurrence.
- Inform individuals involved that their data has been compromised.
Failure to report a breach can result in a fine of up to £8.7 million or 2 per cent of the organisation’s global turnover.