In the seventh instalment of our GDPR FAQS mini blog series we consider the implications of an employee failing to notify an organisation if the employee breaches GDPR.
Our Frequently Given Response:
There are new requirements to notify the Information Commissioner’s Office (“ICO”) of a breach of GDPR. Unlike the voluntary scheme that applied under the Data Protection Act 1998, under GDPR organisations must notify the ICO if a personal data breach occurs unless that breach is unlikely to cause harm to the affected data subjects.
Not all breaches require notification to the ICO. A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed”. Any other breach (such as failure to respond to a subject access request), does not need to be reported to the ICO by the data controller.
If notification to the ICO is required, the ICO must be notified within 72 hours of the organisation becoming aware of the breach. An organisation is deemed to become aware of the breach at the point any of its employees become aware of the breach. It is therefore important that all organisations have a process in place for ensuring employees notify an appropriate internal point of contact (data protection officer, privacy officer, head of HR, head of IT, head of Regulatory and Compliance etc) if they breach or think they may have breached GDPR.
In addition, data subjects may need to be notified of the breach without undue delay.
Data processors are required under GDPR to notify data controllers of a breach without undue delay to enable the data controller to report the breach to the ICO if necessary. Supplemental guidance has been issued which suggests a 12-hour timescale for notification by the processor to the controller may be appropriate.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.