The General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) require employers to keep all sensitive personal data they manage safe. It’s vital for every employee to play their part in handling data appropriately. And it’s the job of employers and HR to have clear policies and procedures in place and respond effectively if a breach occurs.
What is a personal data breach?
A personal data breach occurs when data is destroyed, lost, altered, or disclosed inappropriately. Breaches can range from simple human errors, such as sending an email to the wrong address, to more complex incidents like phishing attacks or hacking. Even verbal slips, like sharing confidential information overheard by someone else, can be problematic.
Why does GDPR matter?
Organisations can face hefty fines for sensitive data breaches—up to £17.5 million or 4% of global annual turnover. For example, Interserve, a construction company, was fined £4.4 million in 2022 for exposing the personal data of 113,000 employees.
Victims of breaches can pursue legal action. Manchester United, for instance, was sued after an email containing employees’ personal data was sent to casual staff, even though no fine was imposed by the ICO (Information Commissioner’s Office).
5 steps to manage a personal data breach
- Respond immediately
Immediate action can help prevent a small breach from escalating. Fast responses also protect affected individuals, reducing risks like identity theft.
- Have a procedure in place (and ensure all relevant employees know what it is)
Have a breach response plan in place and assemble a team from relevant departments like IT and HR.
- Contain the breach
Identify the breach’s scope, recover data if possible, and protect sensitive information by actions (eg change passwords).
- Assess the impact
Evaluate the scope of potential harm based on factors like the sensitivity of the data and who is affected.
- Document and report the breach
Notify the ICO within 72 hours if the breach poses a risk to individuals’ rights and freedoms. Regardless of whether it’s reported, keep records of the breach, its impact, and how it was handled.
Handling breaches swiftly and efficiently can limit legal, financial, and reputational damage while safeguarding affected individuals. Clear policies and regular staff training are essential, as is having the right IT structures in place to protect personal information.
If you enjoyed this blog then perhaps you’d like to sign up to our monthly newsletter. We’ll keep you updated on what’s new in employment law.
The team at Hunter Law is here for you. We can handle your HR issues, finesse your policies, and keep you up-to-date on evolving legislation. Please get in touch with our legal team, we’d love to help.
