Personal Data Breach Reporting

As more aspects of our lives move online, cybersecurity incidents and personal data breaches are a harsh reality of modern life. The mere fact personal data breaches are commonplace shouldn't be construed as meaning that they are either acceptable or not preventable. The impact on individuals and organisations can be devastating and can lead to regulatory fines and claims for compensation.

While Article 32(1) of the UK General Data Protection Regulation (GDPR) requires controllers to implement appropriate technical and organisational measures, it is impossible to prevent every personal data breach. Where a breach does occur, Article 33 of the GDPR requires organisations to determine the severity, report certain violations to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, and notify affected individuals where there is a high risk that their rights and freedoms have been affected.

In this short course, we address how to detect, record, report and respond to information security incidents involving personal data. Understanding how to respond to and manage different types of security incidents effectively is a necessary skill for any organisation seeking to protect against reputational damage and the loss of consumer trust.

The course covers:

• What is a data breach?
• Different types of cybersecurity incidents and personal data breaches
• Key definitions and terminology
• Personal data breach reporting requirements under the GDPR
• Failure to notify
• Incident response planning
• The role of risk management, business continuity and disaster recovery
• Related information security standards
• How to investigate a data breach
• Data breaches involving third-party suppliers (processors)
• The importance of maintaining a personal data breach register
• Dealing with the ICO or other supervisory authorities and regulators