As of 25 May 2018, the UK’s, and Europe’s, laws regarding data protection will undergo a substantial change as a result of the General Data Protection Regulation (GDPR), and the Data Protection Act 2018 which is the UK’s legislation mirroring GDPR.
Amongst the many changes brought about by GDPR and the Data Protection Act 2018, one of the most notable is the obligation on businesses to pro-actively monitor and report on data breaches. This involves maintaining a register of breaches and, in certain circumstances, notifying the Information Commissioner’s Office (the ICO) and, sometimes, the data subjects themselves, that data has been lost. In addition, the deadlines for notifying the ICO of breaches are very short and failures to respond within the set deadlines or with the correct information could lead to substantial fines and reputational damage for ESP.
By following this simple process we can ensure that any data breaches that may occur are dealt with by the appropriate people within ESP and within the timescales set out in the law.
According to the ICO, a data breach is:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.”
In short, it’s where personal data we are holding is lost or seen by someone who isn’t entitled to see it.
For the purposes of this policy, ESP has split potential breaches into three categories, which are as follows:
Minor Breaches – this is where the amount of data exposed is minimal and is not of a sensitive nature, meaning that the persons who are subject to the breach are unlikely to feel their rights have been unduly affected by the exposure. An example of a minor breach could be sending an email to the wrong person. Minor breaches will be recorded on ESP’s breach register but not reported to the ICO.
Serious Breaches – this is where a large amount of data is exposed, or some of the data that has been exposed could be seen as sensitive with the result that the persons who are subject to the breach are likely to feel their rights have been adversely affected by the exposure. An example of a serious breach could be sending a marketing email with all recipients’ contact details being visible to everyone. Repeated minor breaches of the same nature can also amount to a serious breach. Serious breaches will be recorded on ESP’s breach register and reported to the ICO without delay.
Major Breaches – this is where a substantial amount of data is exposed, or, the data that has been exposed is highly sensitive (such as employee medical records) with the result that the persons subject to the breach feel their rights have been significantly affected by the exposure. Major breaches will be recorded on ESP’s breach register and reported to the ICO without delay. ESP will also notify all affected data subjects informing them of the breach, how it has happened and what ESP will do to rectify the breach and stop it from happening in the future.
If you have reason to believe there has been a data breach then you must immediately speak to Peter Byrne, or ESP’s Operations Manager in Peter’s absence, and provide them with any information you have regarding the breach. As a minimum, Peter will need to know:
You must provide Peter with as much support and information as he requests relating to any breach you may have discovered.
It is Peter Byrne’s responsibility to manage ESP’s response to any potential data breach, together with the senior management team, and no actions must be undertaken without the approval of the senior management team or Peter Byrne.
Peter, together with the senior management team, external advisors and, if necessary, the ICO, will determine the nature and seriousness of the breach and any actions ESP must take in response to the breach.
Peter Byrne has been delegated the responsibility to maintain ESP’s data breach register. This register will be provided to the senior management team on a regular basis so they can assess ESP’s compliance with data protection laws and processes. Employees will not be specifically listed in the breach register (whether as the person identifying the breach or as the person causing the breach) and will not be provided with a copy of the register as it is confidential and commercially sensitive.