Data breaches

This subtopic reflects notification requirements in Assimilated Regulation (EU) 2016/679, the UK GDPR Data Protection Regulation (UK GDPR) and draws on guidance published by the Information Commissioner's Office (ICO) to provide practical assistance on managing a personal data breach. It also contains information previously set out in ICO guidance on data security breach management which predated UK GDPR, but contained additional useful practical information.

What is a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. See Practice Note: How to manage a personal data breach—What is a personal data breach?

Breach of the UK GDPR can expose commercial organisations to fines up to £17.5m or 4% of the total worldwide annual turnover, whichever is higher.

Breach management

The ICO recommends that an organisation’s breach management plan should consist of the following four elements:

  1. containment and recovery

  2. assessment of ongoing risk

  3. notification of breach

  4. evaluation and response

To

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Powered by Lexis+®
Latest Risk & Compliance News
View Risk & Compliance by content type :

Popular documents