Under GDPR a breach, which is deemed reportable to the Data Protection Commission, must be reported by an organisation not later than 72 hours after having become aware of it.
All breaches or suspected breaches should be reported to the Data Protection Officer without delay for assessment.
A data breach usually occurs when:
- there is an unauthorised or accidental disclosure of, or access to, personal data;
- there is an unauthorised or accidental alteration of personal data; or
- there is an accidental or unauthorised loss of access to, or destruction of, personal data.
The GDPR defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
Data breaches may occur in a variety of contexts, such as:
- Loss or theft of data (e.g. on a memory stick, laptop or paper records)
- Inappropriate access controls (e.g. using unsecure passwords)
- Equipment failure
- Confidential information being left unlocked in accessible areas (e.g. leaving IT equipment unattended when logged into a user account, leaving documents on top of shared photocopiers)
- Disclosing confidential data to unauthorised individuals
- Human error (e.g. emails being sent to the wrong recipient)
- Hacking, viruses or other security attacks on IT equipment systems or networks e.g. Ransomware
- Breaches of physical security (e.g. forcing of doors/windows/filing cabinets)
If a data breach has occurred, you will be asked to report the incident to email@example.com as soon as possible.
It is much better to report a data protection breach straight away than to "cover it up" and risk negative consequences down the line.
A data protection breach is not a disciplinary issue, and once the breach has been reported the Data Protection Officer will handle things from there.
For more information please see the Personal Data Breach Procedural Guidelines
Further information in respect of breach notification is available from the Data Protection Commission