GDPR compliance—managing personal data breaches
GDPR compliance—managing personal data breaches

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • GDPR compliance—managing personal data breaches
  • Data security requirements
  • What is a personal data breach?
  • Why should you worry about personal data breaches?
  • What if you use a data processor?
  • Breach management
  • Notifying the ICO
  • Notifying affected data subjects
  • Notifying other parties
  • Monitoring and review

Brexit: As of exit day (31 January 2020), the UK is no longer an EU Member State, but it has entered an implementation period during which it continues to be treated by the EU as a Member State for many purposes. The UK must continue to adhere to its obligations under EU law, including in relation to data protection, and the ICO has confirmed the GDPR will continue to apply during the implementation period. For more information, see: Practice Note: Brexit—implications for data protection.

Data security is a cornerstone of the EU General Data Protection Regulation (GDPR). The sixth data protection principle (the integrity and confidentiality principle) requires you to take appropriate technical and organisational measures to process personal data in a manner that ensures appropriate security, including:

  1. protection against unauthorised or unlawful processing

  2. accidental loss, destruction or damage

Data security requirements

Article 32 puts more flesh on the bones of the GDPR’s integrity and confidentiality principle. You are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account:

  1. the nature, scope, context and purpose of processing

  2. the risk of varying likelihood and severity for the rights and freedoms of data subjects

Your security measures should include, as appropriate:

  1. the pseudonymisation and encryption of personal data

  2. the ability to ensure the