A personal data breach is a breach of security which results in personal data being accidentally or unlawfully destroyed, lost, altered or disclosed.
If the breach presents a risk to the rights and freedoms of the relevant individual, the breach must be reported to the Information Commissioner’s Office (ICO). If the breach presents a high risk to the rights and freedoms of the relevant individual, the breach must be reported to the ICO and the individual must be notified.
Under the GDPR, if a breach is reportable, it must be notified to the ICO (and to the individual, if appropriate) within 72 hours of discovery.
If you fail to notify a breach when required to do, you may be hit with a fine. The GDPR has introduced steep new penalties of up to 10 million Euros or 2 per cent of global turnover. Although SMEs are not expected to be issued fines at the top level of the scale, the penalties could still be significant.
To ensure compliance and avoid a penalty, business should have robust procedures in place to detect, report and investigate any personal data breaches.
