Cybersecurity and Data Breach Notification: Unlock Safety
Contained within the General Data Protection Regulation (GDPR) is an obligation to notify the Information Commissioner’s Office (ICO) of a data breach which meets certain criteria:
-
- The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority.
- You must do this within 72 hours of becoming aware of the breach, where feasible.
- If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
- You should ensure you have robust breach detection, investigation and internal reporting procedures in place.
- This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
- You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
- The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority.
(You can read the full guidance here)
This duty is new and is not carried over from the Data Protection Act (DPA).
What are the practical implications of this duty and how do they affect you and your business?
What is a data breach?
The ICO defines it thus: “A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data”.
Contrary to popular opinion, a data breach doesn’t only occur when personal data is stolen or otherwise acquired in an unauthorised manner.
If personal data was rendered unavailable, that could potentially constitute a data breach.
If a bank suffered a systems failure that prevented customers from accessing their accounts, that, on a sufficient scale, may constitute a breach under the terms of the GDPR as there is a real risk that customers could suffer loss or harm.
The test for whether or not you have to report a breach is based on risk; the risk that the data subjects whose information has been compromised will suffer some form of hurt or damage.
An Example
In a simple example, if thousands of medical records were accessed and put into the public domain, that would be a clear risk of harm, and be clearly notifiable.
If the same data was maliciously encrypted and held to ransom there would also be a risk to the individuals as the lack of that data to medical professionals could also put the individuals at risk.
In both cases, although very different, the breach would have to be notified as there is a demonstrable risk to the individual.
In this case, not only would you have a duty to inform the ICO you would also have to inform the individuals affected by the breach.
This could be an onerous activity if many thousands of data subjects are involved and you should be mindful of this when planning potential responses to a breach.
One the other hand, if your company holds personal data used only for marketing suffered a server failure, you may not be obliged to notify users as no appreciable risk attached to the period during which the data was unavailable.
Where a breach is held to be notifiable the ICO would expect you to inform them within 72 hours of the occurrence.
The ICO
They accept that you may not have all the details at that point and you are expected to complete your investigations as quickly as possible, keeping the ICO informed of your findings.
The upshot of this is that companies not only have to take all reasonable steps to secure their systems and data but they need to perform risk assessments in order to understand the potential dangers should a breach occur.
This is best done as part of an overall data audit prior to embarking on any changes to meet the requirements of the GDPR.
Unless you fully understand the nature of the data you hold and process, and the potential risks to individuals should a breach occur, it is nigh on impossible to put in place appropriate security and procedures to protect that data.
At Jera IT, this is one of the very first actions we would advise and assist clients with.
Any such audit also needs to take into account any third-parties that you use to process data, under the GDPR you are responsible for ensuring that they too adhere to the requirements.
This falls under the heading of vendor management and is another area that Jera can actively assist you with.
Vendor Management
Any data breach carries with it a potential operational impact, a notifiable breach carries the additional risk of reputational damage to the organisation since once notified, the breach effectively becomes public.
In such an environment your cybersecurity provisions become even more important.
It is simply beyond the scope of this article to offer comprehensive advice on cybersecurity; what is appropriate, what is necessary will vary markedly between companies.
Since the requirement to notify carries with it a duty to report the circumstances of the breach and the actions taken to mitigate the loss and risk.
Whatever provision you make must include the ability to derive meaningful reports on any suspicious activity.
And allied to processes and procedures designed to ensure that a breach is identified and curtailed as quickly as is reasonably possible.
What Are Security And GDPR
Security is not simply a matter of installing a firewall and anti-malware software, it is a systematic approach that needs to be planned, implemented and regularly tested.
The GDPR introduces the concept of “security by design” putting an obligation on organisations to ensure that when designing new systems and procedures for their company that security is an integral part of the design process.
Cybersecurity, like security in general, is a serious subject and getting it right takes time, effort and cost.
Getting the right advice, especially as we await the implementation of the GDPR in May 2018, is more crucial than ever.
Jera are specialists in all aspects of the GDPR and can offer advice and assistance to guide you through the necessary steps to ensure your compliance with the new regulations.
Related Articles
Understanding Quishing: Protecting Scottish Businesses in the Age of QR Code Phishing
Annual Cyber Attack Patterns – Understanding the Seasonal Trends of Cyber Threats
The Comprehensive Guide to State-Sponsored Cyber Attacks
Cyber Security Threats: Why are some attacks worse than others
Cyber Security Trends to Watch in 2025
Combatting Spikes in Malicious and Fraudulent Websites: Why Trusted IT Security Consultants Are Vital to Business Continuity
Unleashing the Power of Microsoft Copilot with Your Business Operating System: A Growth Catalyst
Cyber Threats in 2024: Emerging Threats, Technological Advancements, and Best Practices for UK Businesses
10 Crucial Insights on Data Breaches for Cybersecurity Professionals in Scotland
Exploring Remote IT Security Solutions: Implementing 24/7 Protection and On-Demand Crisis Management
Cyber Essentials For Colleges Mandatory in England
Cyber Attacks: 8 Reasons your Business Might be Targeted
Exploring the Contrasts Between an IT Support Engineer and a Technician
6 Helpful Tips to Troubleshoot Common Business Network Issues
Exploring the Contrasts Between an IT Support Engineer and a Technician
The Growth Trajectory of Managed IT Security Services
The Growth Trajectory of Managed IT Security Services
Travelling with Tech: 8 Useful Tips for Tech Savy Travellers
IT Downtime Risks Unmasked
How Copilot for Finance Can Transform Your Financial Processes
How to Avoid AI Data Breaches and Keep Your Sanity
Essential Security Practices for Remote Work
How Cloud Technology Solutions Can Help Large, Well-Established Corporations Modernise
Cyber Awareness in your Team: 10 Easy Steps to Create a Culture of Cyber Awareness
Vulnerability Reports: Don’t Skip Them
4 Ways Small Businesses can Leverage Copilot for Microsoft365
Scaling Your In-House Networks: How Software Licensing Procurement and Management Works
How to Choose the Right Cloud Service Provider for Your Business
How to Develop an IT Strategy that Aligns with Your Business Goals
Why your business needs a disaster recovery plan
5 Easy Ways you can avoid a cyber security slip up in 2024
Why Choose an MSP in 2024
How Jera IT Can Boost the Efficiency and Security of the Oil and Gas Industry
The Importance of Refreshing Your Cyber IT Strategy: Uncover New Threats and Approaches
IT services and strategy are vital to the successful running of an agricultural business. Allow us to help you with it!
How Jera IT Can Help You Boost Your Agricultural Business with Innovative IT Solutions
IT services and strategy are vital to the successful running of an agricultural business. Allow us to help you with it!
IT Services for Logistics Companies: How to Boost Your Efficiency and Security
Logistics companies need to be dialled in to the best ways in which their business can be served by IT services.
IT Services for Architecture Firms: How to Protect Your Data and Systems from Cyber Threats
Becoming a net-carbon sink is one of the most important decisions you can make as a business, for both your customers and your planet. Here are some tips on the best ways to get started using IT.
Protecting Client Data: Cyber Security for Law Firms
Becoming a net-carbon sink is one of the most important decisions you can make as a business, for both your customers and your planet. Here are some tips on the best ways to get started using IT.
Using Cloud Technology Solutions to Enhance Remote Working Security
Becoming a net-carbon sink is one of the most important decisions you can make as a business, for both your customers and your planet. Here are some tips on the best ways to get started using IT.
How to Protect Your Business from Online Threats: The Three Pillars of Cyber Security
Becoming a net-carbon sink is one of the most important decisions you can make as a business, for both your customers and your planet. Here are some tips on the best ways to get started using IT.
Becoming a Net-Carbon Sink with IT
Becoming a net-carbon sink is one of the most important decisions you can make as a business, for both your customers and your planet. Here are some tips on the best ways to get started using IT.
4 Things You Need in Your Disaster Recovery Plan
Cloud waste is an increasing problem with the advent of cloud computing solutions. It is vital you prepare your team as best as possible to reduce the chances of unnecessary spending.
How to Use Windows Key Shortcuts to Boost Your Productivity
Cloud waste is an increasing problem with the advent of cloud computing solutions. It is vital you prepare your team as best as possible to reduce the chances of unnecessary spending.
Smart Tactics to Reduce Cloud Waste at Your Business
Cloud waste is an increasing problem with the advent of cloud computing solutions. It is vital you prepare your team as best as possible to reduce the chances of unnecessary spending.
Should you run a Webinar on MS Teams Webinar?
Containerisation could be your ticket to future proofing your IT infrastructure. Read on to learn
4 Things You Need To Know about Googles new Email Spam Rules!
Containerisation could be your ticket to future proofing your IT infrastructure. Read on to learn
5 Incredible Ways Businesses are Utilising AI in 2024
Containerisation could be your ticket to future proofing your IT infrastructure. Read on to learn
Connecting from Anywhere: 7 Tips for BYOD Integration
BYOD is a concept that many businesses are afraid to explore. It could have a massive benefit for both your business and your employees, have a read to find out why.
Selecting the Right Business IT Support for Your Company
Containerisation could be your ticket to future proofing your IT infrastructure. Read on to learn
5 of 2024s most important Cyber Security Trends
Containerisation could be your ticket to future proofing your IT infrastructure. Read on to learn
Future Proofing your IT Infrastructure
Containerisation could be your ticket to future proofing your IT infrastructure. Read on to learn
Cyber Hygiene Standards for Business Insurance
Cyber hygiene standards for business are challenging to achieve, but they are essential to your business protection and continuity planning.
Why an IT Security Consultancy Is Key to Business Protection
Five Ways Managed IT Support Can Eliminate System Outages and Downtime
Uncovering the New, Stricter Standards Imposed by Cyber Risk Insurance Providers
Attack Vector: What Is Attack Vector
Attack vector – what is attack vector? A confusing term that is essential to know about if you want to protect your business from cybersecurity risks.