Breach Notification and GDPR

Many Information Security professionals believe that data breach is an inevitable outcome that organisations will experience - it's no longer a case of "IF" but "WHEN".

In recent times, there have been many high profile data breaches involving the compromise of personal data.

GDPR defines a Personal Data Breach as:

"a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed"

Many people associate the notion of a data breach with the image of an external party hacking into a company's systems to unlawfully access data.

However, according to recent Industry research, 58% of all data security incidents occurred within the organisation and were caused by an employee, ex-employee or trusted 3rd party.

GDPR stipulates that the Supervisory Authority (ICO) must be notified by the data controller (your organisation) without undue delay and no later than 72 hrs after having become aware of a personal data breach.

There are some limited exceptions to when a breach must be reported to the Supervisory Authority:

  • If the data is encrypted and the key remains secure
  • If the data becomes corrupted but there is a mechanism to restore instantaneously e.g. database systems

It is anticipated that personal data breaches put an organisation at risk of being issued significant fines by the ICO, with the knock-on effect of brand-damaging media attention and the reputational loss that could ensue.

PYXI for GDPR provides confidence to small businesses that, in the event of a personal data breach, they have the tools at their disposal to manage the Breach Notification process in a simple and efficient manner.

Consent Management Tracking