Data breach and notification

A personal data breach is a security incident affecting the confidentiality, integrity or availability of personal data, whether caused deliberately or accidentally.

For example:

  • personal data is lost, destroyed, corrupted or disclosed
  • someone has accessed or passed on data without the correct authorisation
  • data becomes unavailable, with significant negative effect on individuals

When a security incident takes place, you must quickly establish if a breach has occurred and the severity of risk. You must take appropriate steps as soon as possible. It's vital that you know when and what to disclose and to whom. You must notify all those affected without delay and within 72 hours of the breach. You may also have to report the breach to the ICO within this timeframe.

Failure to report as required can result in a Tier two fine.

Data controller

A person who determines the purposes for which any personal data is processed and the way in which it will be done. They may act alone, jointly or together with other people. Processing means recording or holding personal information or carrying out any operations on it.

Data portability

GDPR will give individuals the right to have their personal data returned to them in an electronic format by the data controller. They may then pass this data onto another controller. This will enable individuals to move to alternative service providers more easily.

Data processor

Any person, other than an employee of the data controller, who processes personal data on behalf of the data controller.

Data protection impact assessments (DPIAs)

DPIAs help identify, assess and minimise the privacy risks of data processing. They’re especially important when new processes, systems and technology are being introduced.

Data protection officer

A DPO advises an organisation and its employees about data protection obligations, including GDPR, and monitors compliance. They are the first point of contact for supervisory authorities and data subjects.

Public companies, or those whose core activities include large-scale systematic monitoring and processing of personal data (including data relating to criminal convictions and offences) will need to appoint a DPO under GDPR. You may still choose to appoint a DPO even if you're not required to do so.

Data subject

The person whose personal data is being processed.

Personal data

Personal data is any personal information that could be used to identify the individual directly or indirectly. Under GDPR the definition is more detailed than under DPA 1998.

Previously, this data might be a name, address or photo, but it can now also be an email address, computer IP address, medical information, dietary requirements and social media posts. This reflects technological changes and how organisations collect information about people today. GDPR also applies to both automated personal data and to manual filing systems. 

Personal data that has been pseudonymised (for example key-coded) may fall under GDPR requirements, depending on how difficult it is to match the code to a specific individual and whether that individual could be identified through the contents of the data. For example, removing a client's name may not be enough if the client could be identified through other information on the file, such as marital status, address or issues arising.

For most organisations that already keep HR records, customer lists and contact details according to DPA 1998 requirements, the changed definition should have minimal practical impact.

Sensitive personal data

The categories are broadly the same as in the DPA 1998:

  • political opinions
  • religious beliefs or beliefs of a similar nature
  • trade union membership
  • physical/mental health or condition
  • sexual life
  • commission or alleged commission of any criminal offence; plus any proceedings, or outcome of any proceedings, relating to an actual or alleged offence.

Under GDPR, personal data also extends to genetic and biometric data where this is processed to identify an individual.

Privacy by design

Under GDPR, data security and privacy compliance must be built into new organisational and technical systems during their development, not added in later. Only data that is determined as ‘absolutely necessary for the completion of duties’ can be stored and processed.

Right to access

Under GDPR, an individual has the right to find out from a data controller if their personal data is being process, where this is happening and why. Controllers must provide a copy of that data free of charge when requested. Individuals may also have query and contest decisions affecting them which are entirely algorithmically based.

Right to erasure

Also known as ‘the right to be forgotten’, individuals can ask the data controller to:

  • delete their personal data
  • stop its dissemination
  • stop third parties stop processing it