The GDPR has been a game changer for data breach notification. Data breach notification is mandatory for all businesses, depending on whether they act as a controller or processor and on the likely impact of the data breach on individuals. Further, a rather onerous deadline for notification applies to controllers: specifically, Article 33 of the GDPR requires that a data breach is notified to the regulator without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless it is unlikely to result in a risk to individuals. The GDPR raised the maximum penalty for contraventions to 4% of global turnover or up to €20m, whichever is the greater. This has forced organisation to think about their approach to incident prevention, incident response and breach notification.
This article provides an analysis of the most high profile data breaches and ICO enforcement actions in the two years post GDPR. Based on the enforcement action taken by the ICO, this article seeks to highlight key issues what businesses should be aware of when considering their incident response policies and procedures, the do's and don'ts of incident response and, more importantly, the pitfalls that put organisations at a risk of falling victim to a breach.
Subscribe to read the full article
Check out our yearly subscription and practical guide subscription options.
The GDPR sets out what is expected from an organisation in terms of the measures that should be put in place to secure personal data and what an organisation must do after a breach has occurred. The ICO has set out clearly what the ICO saw as failings when issuing intent to fine and monetary penalty notices. This serves as guidance for organisations when dealing with their breach preparedness and response procedures.