When to report a data breach
Now that the General Data Protection Regulations (GDPR) is in effect since the 25th May 2018, are you as a business compliant with the new regulations?
The Information Commissioner’s Office (ICO) recommended a number of steps to get everything in place – perhaps the most important being an awareness of what the new rules mean and your responsibilities as someone who holds other people’s data in staying within them.
It’s easy for businesses to be on edge without this clarity, and to discourage a tidal wave of issue reporting from nervous enterprises afraid of being put through the wringer, the ICO offers guidance on when a breach should be reported, and when it’s acceptable to handle the matter internally.
When to report a breach
While certain organisations are already required to report certain types of breaches, other entities only have a duty to inform the ICO if it’s going to have a negative impact on those who are linked to the data.
The nature of the breach, as well as the size, determines how serious it is – and all major issues should be reported.
For example, when login details of thousands held by an online store are set loose and vulnerable to hackers, this could cause the customer financial loss and contravene their confidentiality.
Another example might include private emails being made public, damaging the reputation of the sender, recipient, or others implemented in the conversation.
Not only would you need to inform the ICO, but you will also have a duty to notify those who have been affected.
The ICO should be contacted with any notable breaches within 72 hours of becoming aware of it if the business involved is to lessen the chances of a heavy fine, although carelessness around data will likely result in a financial penalty.
Under the new GDPR, failing to notify the ICO of a significant breach can incur a fine of up to 20 million Euros or 4% of your global turnover, on top of the fine for the breach itself.
When not to report a breach
Not all data is sensitive or is going to cause a problem if it gets out into the open. Examples include an internal staff contact list, or a marketing list of names to be targeted for a product, providing the product isn’t especially sensitive.
Smaller breaches do not have to be reported to the ICO unless they are likely to cause harm to the data subject.
However, if you are in doubt, why not check with us as your insurance broker if you have any cyber insurance in place or any legal expenses cover in your policy that will be able to offer advice and guidance in these situations.
For more information on how regulatory fines fit into your commercial insurance package, get in touch with us here at Fiveways Insurance on 01952 812380 or email us on email@example.com.