Review your content's performance and reach.

Become your target audience’s go-to resource for today’s hottest topics.

Understand your clients’ strategies and the most pressing issues they are facing.

Keep a step ahead of your key competitors and benchmark against them.

Questions? Please contact [email protected]

In this article, we provide a refresher for HR practitioners on what should happen when data breaches occur.

A breach may occur if personal data is destroyed, lost, altered or if there is unauthorised disclosure of (or access to) personal data as a result of a breach of security.

This is a very wide definition, and it clearly goes beyond a simple loss of data (for example where a hard drive containing a database of your employees’ data is left on a train). It will also encompass situations such as where the lack of security controls on an employer’s IT system has enabled data to be accessed by people that are not authorised to do so.

When an employer becomes aware of a personal data breach, what are the key things that it must do without delay?

Initial steps should be taken to immediately secure the breach and undertake any remedial action to prevent further breaches of that personal data. For example, if sensitive information was sent to the wrong individual, ask them to delete it, return it securely, or hold it safely for you to collect. The employer should then consider whether any notifications need to be made to the Information Commissioners Office (‘ICO’) or to the individual impacted by the breach.

Not all breaches will need to be notified but the exercise to ascertain whether this obligation is triggered must be undertaken as early as possible.

The ICO website provides a self-assessment tool to help with this: Self-assessment for data breaches | ICO

Whether the employer is required to notify the ICO or not, it must keep an internal record of any personal data breaches. The internal record should document the facts of the breach, its effects, and the remedial action taken by the employer.

In addition, the employer should investigate whether the breach was down to human error or a systemic issue and consider how a recurrence of the event can be avoided.

If notification is required, what information must the employer give to the ICO?

The obligation to notify is only triggered where the breach places data subjects at some kind of risk (such as where sensitive personal data or financial details are compromised).

Where a notification is necessary, the ICO must be provided as a minimum with the following details:

Breaches can be reported over the phone to the ICO helpline, or online via the ICO form. In any event, employers should keep an internal written record that the breach was reported.

What is the timeframe for making a notification?

Employers must report notifiable breaches “without undue delay” and where feasible, within 72 hours of becoming aware of them. The fact an employer will rarely have concluded its internal investigation into relevant matters within this initial 72 hour period, must not, however, deter the notification being made. The information that is available by the 72-hour deadline must be provided in any case, with the remainder being provided as soon as possible thereafter.

Do affected data subjects need to be told about the breach?

When there is a ‘high risk’ to the rights and freedoms of data subjects, the affected individuals must be notified ‘without undue delay’.

When determining whether the breach is ‘high risk’, consider the severity of the potential or actual impact on the individual data subjects. If the impact of the breach or likelihood of consequences is severe, this increases the level of risk.

If notification is required, the employer must provide data subjects with information regarding the breach in plain and simple language. This must include likely consequences of the breach, the measures taken or proposed to address the breach and mitigate possible adverse effects, as well as contact information for the employer’s data protection officer or other relevant data contact.

In addition, best practice suggests employers should provide data subjects with steps they can take to safeguard themselves, and what the employer is willing to do to help, for example, password resets.

Employers should bear in mind, however, that notifying individuals will not be required if:

What are the consequences of failure to notify a personal data breach?

Employers could face a fine of up to £8.7 million or 2% of the employer’s global turnover (if higher) as well as having to deal with any potential reputational damage. However, the notification obligations are not particularly onerous and provided that employers have an appropriate internal breach reporting procedure in place, then compliance should be achievable by all employers.

What other personal data breach obligations should employers be aware of?

All companies must keep an internal data breach register. This must record certain details of all data breaches and it is vital therefore that employees are informed (for example in a policy or staff handbook) and trained on what a personal data breach may look like in practice and the steps they have to take to report the breach internally. The register must be available for inspection by the ICO, upon request. Keeping and maintaining the breach register is therefore a key way in which employers can demonstrate their ability to comply with the overarching principle of accountability.

What should HR’s role be in connection with personal data breaches?

We recommend that as part of any wider GDPR compliance programme, HR practitioners consider the following measures:

If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected] .

Regulation (EU) 2016/679 - General Data Protection Regulation (GDPR)

© Copyright 2006 - 2022 Law Business Research