TMCnet Feature
October 12, 2021

What can be considered as a data breach?

According to the Information Commissioner’s Office (ICO) a personal data breach can be defined as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.’ Data Breach Compensation can be applied. Personal data breaches could include:

·        Access to data by an unauthorised third party

·        Intentional or accidental action (or lack of action) by a data controller or processor

·        Sending personal information to the wrong recipient

·        Computing devices that contain personal data being lost or stolen

·        Changing personal data without the owner’s permission and

·        Availability of personal data being lost

In short, a personal data breach has occurred whenever any personal data is unintentionally lost, destroyed, corrupted, or disclosed; if someone accesses the data or sends it on without authorisation; or if the data is made unavailable and this then has a significant negative effect on the individuals it belongs to.

When does a company need to inform affected individuals about a data breach?

If a data breach is likely to lead to a high risk for affected individuals, the UK GDPR states that a company must notify those concerned directly and without any unnecessary delay, meaning it should be done as soon as possible.

‘High risk’ means that the need to tell the affected people is higher than for notifying the ICO. Again, the company or organisation will have to look at both the severity of the potential or real impact on individuals due to the data breach and the likelihood of this happening. The risk will be higher if the impact of the breach is more serious and if the chance of negative consequences is greater.

It is in these cases, organisations will need to inform those affected promptly, especially if there is a need to reduce immediate risk of damage to them. One of the main reasons for telling people about a breach they have been a part of is to help them take the necessary steps to protect themselves from the consequences of the breach.

What details must be provided to affect individuals regarding a data breach?

When a company is informing affected people of a data breach, they need to detail in plain and clear language the nature of the breach and at a minimum:

·        The name and contact information of any data protection officer you have, or another point of contact where they can go to get more information,

·        A description of the consequences that are likely to come from the data breach as well as

·        Details of the measures that have been taken or suggested to deal with the data breach and, where suitable, a description of the steps that have been taken to mitigate potential negative effects.

If it is possible, specific, and clear advice should also be provided to people on what they can do to protect themselves and what you are willing and capable of doing to help them. Based on the situation, this could include things like:

·        Completing a password reset

·        Encouraging people to use strong, unique passwords and

·        Making them aware of phishing emails or fraudulent activity to look out for on their accounts.

Does the ICO always have to be informed about a data breach?

No, when a personal data breach happens, companies first need to determine the likelihood of risk to individuals rights and freedoms. If a risk is highly likely, the ICO must be notified, however if the risk is low and unlikely, they are not required to report it to them. Whatever the organisation decides, the decision will need to be justified, so it is important that any company or organisation that is holding data documents a breach if it occurs.

How long do companies have to report a breach to the ICO?

A notifiable breach must be reported to the ICO without undue delay, but not later than 72 hours after the company has discovered it. However, the UK GDPR understands that it won’t always be possible to fully investigate a breach within 72 hours to understand what has happened and what has been done to fix it. So, there is an article within the GDPR (Article 33) that allows them to provide the required information in pieces as long as it is done promptly without any unnecessary delays. It is expected that affected companies prioritise the investigation, give it enough resources, and send it over urgently.

For more information about data breaches and to start your claim, go to the data breach website today.

» More TMCnet Feature Articles


» More TMCnet Feature Articles