In 2017, the credit agency Equifax suffered a major data breach which affected 143 million customers in the US and nearly 700,000 customers in the UK. Although this is an extreme example, such data breaches have highlighted the urgent need for all organisations to ensure that they protect the personal data they hold to the best of their ability.
Equifax later revealed that the passwords and partial credit card details of 15,000 UK customers had been compromised. It’s thought that a further 14 million UK records were stolen in the attack, but only names and dates of birth were affected.
From May 25th, when the EU’s General Data Protection Regulation (GDPR) comes into force, every organisation in the UK will have a duty to report personal data breaches to the Information Commissioner’s Office (ICO) within 72 hours of discovering them. The ICO is the independent body that will enforce the GDPR in the UK.
Elizabeth Denham, the Information Commissioner says the threshold to determine whether an incident needs to be reported to the ICO depends on the risk it poses to the people involved.
“It will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms.” she explains. “So, if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report.”
“And organisations need to remember that if there’s the likelihood of a high risk to people’s rights and freedoms, they will also need to report the breach to the individuals who have been affected.”
As Colin Sales, 3C Consultants’ Managing Director, explains in this video, the management of data breaches is one of the most far-reaching aspects of the GDPR.
It’s why your organisation must ensure the level of security applied to the personal data you hold on tenants, employees and contractors is adequate. The more sensitive the information you hold, the tighter the security will need to be.
Your organisation must also put procedures in place so that you can detect, report and investigate a personal data breach.
If you need help or would like to discuss any issue that this GDPR video series raises, please call us now on 0333 900 3003.
‘The most significant UK data breaches’, Magee, Tamlin, www.computerworlduk.com, March 19, 2018