What the ICO says –
“You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.”
What does this mean for your organisation –
This mean that all relevant technical and organisational controls must be in place to mitigate data breaches. These controls will depend on several things such as what data you process and how you process it. The controls for an organisation that only processes minimal PII data will be different than those of an organisation processing massive amounts of PII data. At the very least all organisations should have suitable internet protection, staff education and privacy policies.
What is a data breach though?
Under the GDPR a data breach means a breach of security leading to the: Accidental, Unlawful destruction, Loss, Alteration, Unauthorised disclosure of Or access to personal data transmitted, stored, or otherwise processed.
A key point here is GDPR is only concerned with Personally Identifiable Information data (PII) but I would recommend you must be concerned with all data your organisation holds as it is the life blood of an organisation.
Many people think of a data breach as the big high profile “Cyber Hacks” and yes, they are an example but here are a few other examples of data breaches.
- Cyber Attack (Hacks, Phishing, Vishing, Malware etc)
- Lost Laptops/Mobiles
- Shouting Across the Office (Passwords, customer PII)
- Passwords written down
- Tailgating (Entering restricted areas without challenge)
- Listening In (Talking too loudly, not discussing private matters behind closed doors)
- Messy desk Syndrome
- Deletion/damage of data (either malicious or accidental)
I’m sure we have all seen these in some way or another and not given them much of a thought but they all lead to potential breaches of PII data and need to be controlled. Certain data breaches are reportable to the ICO, some only to the Data Subject all should be recorded and managed accordingly so as not to re-occur.
Breaches that need to be reported also require a lot of information about the breach, including but not limited to, what was breached and how, who is affected and what is being done to stop it happening again. All this needs reporting within 72 hours of you becoming aware of it, no small task indeed.
The 12 Days of GDPR snippets are not designed as a guide to make your organisation GDPR compliant, they are just to whet your appetite to get you started. BMGUK Consultancy Ltd has one of the few certified EU GDPR Practitioners in the UK, so get in touch and I can assist your organisation to become GDPR compliant.
What is the GDPR? – It is the new evolution of data protection across the EU. On May 25th, 2018 the General Data Protection Regulation becomes enforceable so if your organisation processes personally identifiable information of any EU resident then you need to be prepared for the GDPR otherwise your organisation could face significant penalties.
From the largest multinational down to the smallest of sports clubs anywhere in the world, if your organisation offers goods or services, even free ones, to EU residents then it is highly likely that your organisation will be required to comply with the GDPR.
Whether your organisation is based in the UK or overseas, get in touch with BMGUK Consultancy Ltd for all your GDPR needs.