2 min read

What is a personal data breach and how do we respond to it?

IAM RoadSmart recently required all affiliated Groups to complete a GDPR Implementation Declaration. Groups asked for help on how to deal with a personal data breach so IAM RoadSmart have created some guidelines for you which they hope you find useful.

What is personal Data?

Personal data only includes information relating to natural persons who: 

  • Can be identified or who are identifiable, directly from the information in question; or
  • Who can be indirectly identified from that information in combination with other information.

What identifies an individual could be as simple as a name, number, location data, email address etc.

 

What is a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

 

Personal data breaches:

More information about personal data breach.

Examples of data breach:

  1. An email is sent to all committee members showing email addresses of all recipients
  2. Committee member allowing family member to access and view secure data

 

What to do if you need to report a breach:

When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision and document it.

 

Data breach where IAM RoadSmart is the controller:

If a data breach has occurred you will need to notify IAM RoadSmart immediately (and in any event no later than 24 hours) after having or identifying the Personal Data Breach.

Please report any Personal Data Breach to data.protection@iam.org.uk

 

Data breach where the Local Group is the controller:

Report a personal data breach to the relevant supervisory authority (ICO). You must do this within 72 hours of becoming aware of the breach, where feasible. You must also keep a record of any personal data breaches, regardless of whether you are required to notify the relevant supervisory authority (ICO). IAM RoadSmart must also be informed of the breach of the Personal Data Breach.

Please report any Personal Data Breach to data.protection@iam.org.uk

Details of how to report a personal data breach can be found on the ICO website: Report a breach

 

Data Subject Requests:

Notify IAM RoadSmart immediately (and in any event no later than 24 hours) of any Data Subject Requests received where IAM RoadSmart is the controller.


Leave a comment

Comments will be approved before showing up.

Newsletter