Establish an internal breach-reporting procedure to prepare for GDPR, advises ICO

ICO publishes guidance ahead of implementation of GDPR in 2018

Organisations should establish internal security breach-reporting procedures as part of their compliance planning for the forthcoming General Data Protection Directive (GDPR), the Information Commissioner's Office (ICO) has advised.

The recommendation is made in the latest guidance from the data protection watchdog, which has been updated to take account of the new rules coming into force in 2018. Organisations will need to start preparing now to make sure that they are compliant from day one. Many organisations, particularly larger ones, will no doubt respond by appointing data protection officers.

The regulation will, among other things, require organisations to inform data protection authorities and the public about personal data breaches, which means that organisations will need to put in place the appropriate reporting procedures and train staff accordingly.

"You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data," advised the ICO guidance. "You should ensure that you have an internal breach-reporting procedure in place. This will facilitate decision making about whether you need to notify the relevant supervisory authority or the public.

"In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation and internal reporting procedures in place."

Furthermore, organisations will not have much time to notify the authorities of any breach. Article 33 of the regulation requires notification to take place "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".

A personal data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

Preparing for the new regulation - which will likely apply to organisations based in the UK regardless of Brexit - will require the guidance of in-house counsel, if available, said Pinsent Masons partner Marc Dautlich, who heads the law firm's information law practice.

"In-house counsel will need to define what in practice in their organisation constitutes a personal data breach, in line with the GDPR definition, so that employees can be given training to recognise such breaches and report them internally; and secondly, because in legal terms that will determine when the clock starts to tick for notification," said Dautlich.

He suggested that many organisations could to look to existing notification procedures for other issues, such as product recalls or health and safety.

"In many cases security vulnerabilities originate in a business's supply chain. Data controllers need to be cognisant of the implications of this. In particular, since prevention is always better than cure - and as the law already requires it - vetting sub-contractors before selecting them, followed by a robust contract, which under GDPR will require new content, and finally ongoing monitoring of adherence in the supply chain to agreed security measures are each critical steps to take," he said.

The GDPR was approved by the European Commission earlier this year after a long and tortuous gestation period.