When GDPR is enforced from 25th May 2018, any breach of personal data must be reported to the UK Information Commissioners Office (ICO) within 72 hours of the business becoming aware of the issue. Failure to notify can result in a penalty fine of up to €10m or 2% of global turnover. Negligent or intentional violation of GDPR can result in a fine of up to €20m or 4% of turnover.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform those individuals if we act as their data controller, or the appropriate agency(s) which acts as the data controller for those data subjects without undue delay. It is then the responsibility of the data controller to notify their data subjects if appropriate.
If the breach involved any unauthorised access which contravenes the Computer Misuse Act, we would also notify the Police Service of Northern Ireland's (PSNI) cyber-crime unit.
Our internal processes would also involve identifying the source of the data breach and the extent of any data which has been compromised, which in turn would determine the risk to the data subjects affected. The vulnerability in our systems or procedures would be identified as quickly as possible, and immediate attention given to resolving that vulnerability. All information relating to the source of the breach and steps taken to resolve it would form part of the report to the ICO.
Of course, we take every precaution on an ongoing basis to ensure that all personal data is stored safely and securely, to prevent a breach occurring.