GDPR compliance—managing personal data breaches
GDPR compliance—managing personal data breaches

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • GDPR compliance—managing personal data breaches
  • Data security requirements
  • What is a personal data breach?
  • Why should you worry about personal data breaches?
  • What if you use a data processor?
  • Breach management
  • Notifying the ICO
  • Notifying affected data subjects
  • Notifying other parties
  • Monitoring and review

Data security is a cornerstone of the EU General Data Protection Regulation (GDPR). The sixth data protection principle (the integrity and confidentiality principle) requires you to take appropriate technical and organisational measures to process personal data in a manner that ensures appropriate security, including:

  1. protection against unauthorised or unlawful processing

  2. accidental loss, destruction or damage

Data security requirements

Article 32 puts more flesh on the bones of the GDPR’s integrity and confidentiality principle. You are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account:

  1. the nature, scope, context and purpose of processing

  2. the risk of varying likelihood and severity for the rights and freedoms of data subjects

Your security measures should include, as appropriate:

  1. the pseudonymisation and encryption of personal data

  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing

For assistance in reviewing your information security arrangements, see Precedents:

  1. Information audit form (and for law firms: Information security review—law firms)

  2. Privacy risk register

  3. Data protection