Contents
If you’re running an eCommerce business, or your business stores information online, it’s important to know the legals around data privacy and IP protection. Even where businesses take the right steps to protect their data, some breaches are out of our control.
So, your business should be prepared for these unideal situations.
One of the key terms to be aware of is a Personal Data Breach.
Personal Data Breaches are data breaches that are likely to cause ‘serious harm’. When this happens, the business falls under an obligation to notify people who are likely to be affected.
This is set out in the UK General Data Protection Regulation (GDPR), which is a set of rules to guide businesses on how to manage personal information that they collect.
Let’s go into a little more detail about what this means for your online business.
What Exactly Is A Personal Data Breach?
If you’ve experienced a data breach that brings a high risk of affecting people’s rights and freedoms, GDPR states that you must report this breach to the relevant authority within 72 hours.
In the UK, this means you’d need to report to the ICO. The ICO promotes the protection of data privacy for individuals.
This is usually the case where the data breach has affected personal or sensitive information. So, this might include customers’ personal data like their name or phone number.
What Is Considered A Data Breach?
A data breach is a broad term, but it needs to be reported if it affects personal information. Generally speaking, thee kinds of data breaches can lead to the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”
For example, this could include:
- Sending personal data (like a home address) to the wrong person
- Changing personal data without consent
- Breach of data by an unauthorised third party
This kind of breach also extends to situations where data is no longer made available when it should be.
There Has Been A Data Breach – What Do I Do?
Let’s say your business has experienced a data breach – but don’t panic! What’s important is that you take the right steps to notify the affected parties.
First, you want to notify the ICO. You’ll need to fill out a form which allows you to report a data breach. Be sure to include the following details:
- A description of the breach (this includes the number of affected individuals)
- Name and contact details of the data protection officer
- A description of the likely consequences of the breach
- A description of the measures taken to manage the breach or contain it
Then, you’ll want to notify individuals who might suffer consequences as a result of this data breach.
How Do I Notify Individuals About A Data Breach?
When it comes to individuals (this includes any third parties or customers), you may want to contact them through emails, text messages or phone calls. You will need to include the following details in the notification:
- Your organisation’s name and contact details
- The personal information that was breached
- A description of the breach
- A description of the likely consequences of the data breach
- Steps you can take in response (this should form part of a Data Breach Response Plan, which we’ll cover in more detail shortly).
If the breach is ‘high risk’ (for example, more urgent than reporting it to the ICO), then you must notify the affected individuals ‘without undue delay’.
How Do I Respond To A Data Breach?
Businesses should always take the right measures and precautions to ensure they don’t end up in messy situations like these. But unfortunately, things don’t always go as planned and might be out of your control.
This is why you should always mitigate risks from the outset, and have the right policies in place. This way, when things get complicated, you’ll have a clear process for people to follow and minimise any risk of damage or loss.
Data Breach Response Plan
When it comes to ensuring your business is compliant with privacy laws, it’s essential that you have a good Data Breach Response Plan. This written plan should outline the roles and responsibilities of relevant parties where a data breach has occurred.
It should also be easily accessible for your staff.
Put simply, a Data Breach Response Plan will set out the process to be followed where there has been a data breach. For example, who is responsible for containing the data? How will you notify the affected individuals? How will you notify the ICO?
How Can I Protect My Data And IP?
We’ve covered the steps you can take to respond to a breach, but how can you try to minimise that risk from the beginning?
All businesses should invest in a good cyber security system to avoid any breaches. The following list is a good place to start:
- Update your systems regularly – this might involve changing passwords or updating your authentication process
- Monitor your employees’ (and contractors’) access to your systems and data
- Build a strong Cyber Security System
- Include Non-Compete Clauses in your contracts
- Include Confidentiality Clauses in your contracts
- Train employees about cyber security and your internal policies around data protection
Need Help With A Data Breach Notification?
If your business has experienced a data breach, and you need to inform relevant parties, Sprintlaw has a team of lawyers who can help you draft the right data breach notification for you. It will include the right details for your business and information around the nature of the breach itself.
You can reach out to us for a free, no-obligations chat at [email protected] or +44(0)2034321860.
Get in touch now!
We'll get back to you within 1 business day.
Top 3 Legal Mistakes
Book in a free consultation with us to discuss your legal needs.
0 Comments on "What Is A Personal Data Breach?"