Many SMEs are understandably worried about receiving a GDPR data breach fine. The financial loss resulting from such a fine could seriously undermine the viability and prospects of the business; the reputational loss associated with a major GDPR breach can also take a heavy toll that reaches beyond the initial fine.
Here we provide an overview on what constitutes a GDPR data breach, what to do when a breach occurs, the financial side of the breach process, and how to better anticipate GDPR data breaches and minimise their impact for the improved security and safety of your business.
What is a GDPR breach?
According to the Information Commissioner’s Office (ICO), a GDPR data breach occurs when there is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data” (source). The breach could be due to accidental or deliberate action or inaction.
Examples of data breaches include unauthorised third-party access to data, sending personal data to the wrong recipient, or alteration of personal data without consent. As a result of the incident, the confidentiality, integrity or availability of the data becomes compromised. Whether you are a data controller or processor, you have a responsibility to report breaches, but to different people. Processors must report breaches to Controllers, and Controllers must report breaches to the ICO.
When do you need to report a data breach?
When a data breach has occurred, it’s important to establish the risk and potential severity of the incident affecting people’s individual rights and freedoms. This could include, for example, emotional distress, as well as physical and/or material damage. If a risk is likely, the ICO advises that you get in touch to inform them.
How to report a GDPR breach
If you know or suspect a GDPR breach has occurred, you can report it to the ICO. You must do so within 72 hours of when you become aware that a breach has occurred. If necessary, you can provide an explanation for why there has been a delay.
The GDPR data breach reporting process involves providing information on the following:
- The nature of the breach (including number of individuals concerned and categories and approximate number of personal data records concerned where possible).
- The contact details of your data protection officer (or the most relevant contact if you don’t have one).
- The likely consequences of the breach.
- The measures you have taken or will take to deal with the breach and contain or alleviate possible adverse effects.
You may not be able to provide all this information within 72 hours; if this is the case, the ICO recommends that you start the reporting process within this timeframe and provide further information later.
Reporting to the affected individuals
The ICO states that if a breach is likely to have an adverse effect on the rights and freedoms of the individuals involved, you must also inform them as soon as possible. Data processors also need to tell the controllers of the relevant data when a breach has occurred. This means the controller can also take action to prevent further risk.
GDPR breach fines
The maximum fine for a GDPR data breach is 4% of the company’s annual turnover or £17.5 million, whichever is the larger figure. This could be a huge loss for an SME, so it’s important for small businesses to plan ahead in terms of data security and responding to breaches.
Developing your GDPR data breach response plan
Having a plan in place to respond to potential and actual GDPR data breaches is essential for protecting your business and the personal data you hold.
Creating a data breach notification policy
Developing a robust GDPR policy that details how the business identifies and responds to data breaches will help you make sure data security is held as important by everyone in the business. This policy should be distributed to your staff just as you would share any of your important HR policies. Getting everyone educated about how to identify and escalate data security issues will help you anticipate and mitigate GDPR breaches at all levels of the organisation.
Keeping a data breach log
It’s essential practice, as part of your GDPR data breach policy, to keep a written log of all data breaches and near misses. The ICO advises that you keep a log of all incidents, even the ones that you don’t have to report. This will help you form an overview of security issues within the organisation that have or may lead to a data breach.
How to keep your staff’s data secure
Many businesses hold the security and safety of their customer data – and this is highly important. However, protecting your staff’s personal information is also very important; staff have the right to know what information you hold about them and make a Subject Access Request.
Investing in an HR software system helps small businesses keep their staff data organised and secure; myhrtoolkit has a dedicated Security Centre for putting in place the security controls that help ensure staff are only seeing the information they need to and unauthorised parties cannot gain access. To find out more about how HR software can help your business, get in touch.
Read more from the myhrtoolkit blog
How to avoid a GDPR breach: a guide for SMEs
GDPR and HR systems: how to choose GDPR compliant HR software
Written by Camille Brouard
Camille is a Senior Marketing Executive for myhrtoolkit who writes on topics including HR technology, workplace culture, leave management, diversity, and mental health at work.