Oliver Price's Weekly GDPR Blog #5 - Fessing Up
One of the biggest changes in the General Data Protection Regulation (GDPR) coming into force on 25 May 2018 is what data processors and controllers have to do when a data breach has occurred. I am seeing a lot of mis-information about this, the most frequent of which confuses the different time limits that apply should this occur under the GDPR.
Most of you reading this blog will be in businesses who are “data controllers”, that is you process and handle data for a living natural person. Processors are typically the IT and support companies who handle data, but do not have an interest in the data itself. Currently nobody has to report a data breach by law, but it is recommended by guidance that you do report breaches. The GDPR changes this.
Data processors have to tell controllers if they spot a breach, but do not need to tell the supervisory authority, who in the UK is the Information Commissioner (ICO). Data controllers will be required to tell the ICO about all breaches (regardless of severity) and within 72 hours. Controllers may also have to tell the data subject about the breach – the condition is whether the breach is “high risk”, so it requires a judgment and the time for notification is “without delay”. There are also exceptions from the report to data subject and it will be wise for any controller to be able to check the position very quickly before deciding what to do.
Last updated 03/11/2017