General Data Protection Regulation (GDPR) – Breaches Policy
Under GDPR there is a duty on all organisations to report certain types of data breach to the relevant supervisory authority and in some instances the individuals affected.
A personal data breach is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
It should be noted that a data breach is much more than losing personal data.
It is important that all staff understand what constitutes a data breach. With this in mind training on GDPR including information on data breaches will be provided to all staff and Directors every 24 months. It is the responsibility of staff and Directors s to record training in their training logs.
Breaches are often a result of human error or by a failure to follow data protection procedures correctly. It is important that any potential breach is identified in order that future events can be avoided.
Actual breaches must be brought to your Line Manager’s attention immediately in order that correct breach notification procedures can be followed.
Every employee is responsible for identifying a potential data breach. If in any doubt the matter should be referred to / discussed with their Line Manager.
Insurance2day Insurance Services Ltd monitor data being sent electronically.
We have installed a fire wall to prevent unauthorised external access to our electronic data. Any attempted breach of security is identified.
If a breach is identified it should be reported to your Line Manager and internal breach reporting procedures followed.
Breach Reporting Procedures:
Emma Robinson is the data protection champion and should be advised of any breaches as soon as they are identified.
Firms need to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. In our instance this is the Information Commissioners Office (ICO).
If unaddressed such a breach is likely to have a significant detrimental effect on individuals for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Each breach will need to be assessed thoroughly.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals we must also notify the individuals concerned as well as the ICO.
Information to be included in a breach notification:
The following information should be provided:
– The nature of the personal breach including where possible:
- The categories and approximate number of individuals concerned and
- The categories and approximate number of personal data records concerned
– The name and contact details of the data protection champion
– A description of the likely consequences of the personal data breach and
– A description of the measures taken or proposed to be taken to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse affects.
How to notify a breach:
In the first instance the breach should be reported to your Line Manager who will advise the Director responsible for Breach Reporting.
It will be the responsibility of the Director responsible for Beach Reporting to notify the PI Insurers if considered necessary.
A notifiable breach should be reported to the ICO within 72 hours of becoming aware of it. The breach notification form found on the ICO website should be used.
The ICO recognises that it will be impossible to investigate a breach fully within 72 hours and allows preliminary information to be provided with additional information being added later.
If the breach is serious enough to warrant notification to the public, we must do so without undue delay.
Failing to notify a breach when required to do so can result in a significant fine of up to 10 Million Euros or 2 percent of our global turnover.
Once the breach has been fully investigated due consideration must be given to the root cause and whether a similar situation could occur in the future. If necessary procedures / practices should be amended to prevent reoccurrence.
Once the matter is concluded all senior management involved should be updated with relevant correspondence and with any final decision
Complete the form below for details of our Cyber/GDPR data breach insurance solution
The purpose of this overview is to provide a summary of our interpretation of aspects of the GDPR regulations. This is not an analysis of the law and does not constitute a legal opinion or advice by Insurance2day Insurance Services Ltd. The contents of this overview, or any downloads, should not be relied upon – all companies need to take their own specialist qualified legal advice on any matter that relates to GDPR.