GDPR - Breach process

What is a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

What does GDPR say about personal data breaches

GDPR introduces a duty on Data Controllers to report certain types of personal data breach to the relevant supervisory authority; generally the Information Commissioner’s Office (ICO). If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.

How can I report a potential breach? You can email us at dataprotection@myhrtoolkit.com or alternatively you can write to us at our registered address.

If a User, other than a registered system Controller reports a breach, we will need to validate their ID with a Controller from their organisation.

We will acknowledge receipt of a reported incident.

How will myhrtoolkit respond?

Once we have identified that there is a breach or the likelihood of a breach, we will acknowledge as such to the associated Data Controller via a system Controller.

A director of Myhrtoolkit will then supervise the completion of this 4 point process

1. Investigate, within 48 hours
   • Determine if a breach has occurred, and if so, what personal information has been affected.
   • Identify the cause of the breach.
   • Assess the nature of any personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
   • Identify the likely consequences of any personal data breach;
   • Document the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

2. Record
   • make a detailed entry of the breach including the data and customers affected and the specific circumstances and scope of the breach.

3. Notify

In the case of a personal data breach, we will inform the controller(s) of all affected parties. This shall occur without undue delay and, where feasible, not later than 72 hours after having become aware of it. This will include:

• the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned
• the name and contact details of the data protection officer or other contact point where more information can be obtained
• the likely consequences of the personal data breach
• the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

If notification is not made within 72 hours, it shall be accompanied by reasons for the delay

4. Rectify

We will take steps to rectify the identified situation.

We will implement changes to prevent a repeat occurrence.