Many SMEs are understandably worried about receiving a GDPR data breach fine. The financial loss resulting from such a fine could seriously undermine the viability and prospects of the business; the reputational loss associated with a major GDPR breach can also take a heavy toll that reaches beyond the initial fine.
Here we provide an overview on what constitutes a GDPR data breach, what to do when a breach occurs, the financial side of the breach process, and how to better anticipate GDPR data breaches and minimise their impact for the improved security and safety of your business.
According to the Information Commissioner’s Office (ICO), a GDPR data breach occurs when there is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data” (source). The breach could be due to accidental or deliberate action or inaction.
Examples of data breaches include unauthorised third-party access to data, sending personal data to the wrong recipient, or alteration of personal data without consent. As a result of the incident, the confidentiality, integrity or availability of the data becomes compromised. Whether you are a data controller or processor, you have a responsibility to report breaches, but to different people. Processors must report breaches to Controllers, and Controllers must report breaches to the ICO.
When a data breach has occurred, it’s important to establish the risk and potential severity of the incident affecting people’s individual rights and freedoms. This could include, for example, emotional distress, as well as physical and/or material damage. If a risk is likely, the ICO advises that you get in touch to inform them.
If you know or suspect a GDPR breach has occurred, you can report it to the ICO. You must do so within 72 hours of when you become aware that a breach has occurred. If necessary, you can provide an explanation for why there has been a delay.
The GDPR data breach reporting process involves providing information on the following:
You may not be able to provide all this information within 72 hours; if this is the case, the ICO recommends that you start the reporting process within this timeframe and provide further information later.
The ICO states that if a breach is likely to have an adverse effect on the rights and freedoms of the individuals involved, you must also inform them as soon as possible. Data processors also need to tell the controllers of the relevant data when a breach has occurred. This means the controller can also take action to prevent further risk.
The maximum fine for a GDPR data breach is 4% of the company’s annual turnover or £17.5 million, whichever is the larger figure. This could be a huge loss for an SME, so it’s important for small businesses to plan ahead in terms of data security and responding to breaches.
Having a plan in place to respond to potential and actual GDPR data breaches is essential for protecting your business and the personal data you hold.
Developing a robust GDPR policy that details how the business identifies and responds to data breaches will help you make sure data security is held as important by everyone in the business. This policy should be distributed to your staff just as you would share any of your important HR policies. Getting everyone educated about how to identify and escalate data security issues will help you anticipate and mitigate GDPR breaches at all levels of the organisation.
It’s essential practice, as part of your GDPR data breach policy, to keep a written log of all data breaches and near misses. The ICO advises that you keep a log of all incidents, even the ones that you don’t have to report. This will help you form an overview of security issues within the organisation that have or may lead to a data breach.
Many businesses hold the security and safety of their customer data – and this is highly important. However, protecting your staff’s personal information is also very important; staff have the right to know what information you hold about them and make a Subject Access Request.
Investing in an HR software system helps small businesses keep their staff data organised and secure; myhrtoolkit has a dedicated Security Centre for putting in place the security controls that help ensure staff are only seeing the information they need to and unauthorised parties cannot gain access. To find out more about how HR software can help your business, get in touch.
How to avoid a GDPR breach: a guide for SMEs
GDPR and HR systems: how to choose GDPR compliant HR software