Major GDPR fines reach a collective €270 million

Since GDPR came into force in May 2018, there have been almost €270 million worth of major fines (those with a value of over €100,000) handed to a total of 50 companies. Companies who have been hit with these fines include Google, British Airways, Marriott Hotel Group and many other big names. A transparent reporting process will help companies identify data breaches, mitigate the risks and take any action required to ensure a data breach doesn’t happen again.

Best practice for reporting personal data breaches

The EU’s General Data Protection Regulation (GDPR) requires organisations to report certain types of personal data breaches to relevant supervisory authorities. Where feasible, you must do this within 72 hours of becoming aware of the breach.

What is a personal data breach?

A personal data breach is a breach in the confidentiality, integrity or availability of personal data. This includes situations whereby personal data is lost, destroyed, corrupted, disclosed, accessed without proper authorisation or made unavailable.

When a personal data breach has occurred, you need to establish the likelihood and severity of it risking a person’s rights and freedoms. If it’s likely that there will be a risk then you must report to the authorities; if it’s unlikely, you most probably don’t. Regardless of whether a report to the authorities is ultimately made, you need to be able to justify this decision. 

There is an obligation to keep a record of any personal data breaches, regardless of whether you are required to notify the authorities.

Examples of data protection breaches include:

  • Accessing personal information by an unauthorised third party
  • Accidentally sending personal data to the wrong person
  • Losing devices that contain personal information
  • Altering personal data without permission
  • Losing personal data

According to GDPR best practice, any data breach, whether reportable to the authorities or not, should be documented. The best way to do this is to implement a centralised breaches reporting system. This enables Data Protection Officers to ensure the entire organisation is involved in the GDPR compliance process. It also ensures that in the event the authorities come knocking, the details of each breach is easily identified.

In situations where the authorities decide to carry out a thorough investigation of a GDPR breach, you’ll want to be able to provide as many details as possible. This will not only help you remember exactly what happened, it can also be used as proof that your company did everything required once the breach was discovered.

You should find out:

  • When the breach was discovered
  • How the breach was discovered
  • When the breach occurred
  • The number of people that were affected by the breach and details of who they are

Identify what personal data has been revealed

Personal data includes name, residential address, phone number, email address, banking or credit information, passport numbers, driver’s license number, national insurance or ID number, date of birth and more. The breaches report should identify which categories of personal data were revealed.

Identify course of action

Once a report has been made, the Data Protection Officer should assess whether further action is required. If the breach is deemed to “pose a risk to the rights and freedoms of natural living persons”, according to GDPR it needs to be reported to the authorities. If this is not a concern, the Data Protection Officer should set out an appropriate course of action to avoid a similar breach occurring again.

Follow up reports

Make sure you have a method for following up all reports that require further action. A centralised reporting portal should include the ability to easily flag reports that require action and follow up. Set a reminder email to be sent to the Data Protection Officer or whoever needs to take further action. For example, if you need your support team to remove former clients’ personal details from their database, set a reminder for them to do so and a separate reminder for the Data Protection Officer to follow up.

Implement corrective measures

What systems are you putting in place to decrease the chances of breaches occurring again? If, for example, your organisation is implementing a new data processing system or feels there are big gaps in their data security, you may feel a data protection impact assessment (DPIA) is in order.

In a case where a major breach has occurred, the whole organisation should be made aware and should be involved in any corrective measures. If a less significant breach has occurred, such as an email that doesn’t include any personal information accidentally being sent to the wrong person, measures should be put in place to mitigate the risk of it occurring again. In this case, remedial action would be to ensure staff don’t enter the recipient email address until they have finished writing the email.

VinciWorks’ centralised GDPR breaches register

Ensuring all staff report any breaches to their compliance manager or Data Protection Officer is challenging; staff may not know how to make the report, who the reporting officer is and the associated reporting requirements. This can lead to breaches going unreported, which in some cases can lead to huge fines.

VinciWorks has built a best-practice reporting solution that allows staff to easily and efficiently report any data breaches or concerns.

All responses that require immediate action can be flagged, allowing data protection officers to easily monitor whether the breach has fully been resolved. Forms can easily be built and customised to request information relating specifically to the organisation and industry.