We’ve covered what constitutes a data breach and how to plan for one in previous articles. If one occurs there probably is a requirement to notify the ICO. In judging whether a specific breach needs to be reported it is not simply gauging the risk to your email marketing list.
You have to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If the breach may, if not addressed in an appropriate manner, result in emotional distress, physical or material damage then you must inform the ICO. When assessing the risk, it is not the time to look on the bright side. Until there is more detailed guidance, it is best to err on the side of reporting.
If the above circumstances do not apply then you do not have to inform the ICO. For instance, if an employee, or you come to that, deletes personal data by mistake and the only one inconvenienced is you then it is unlikely that you need to report it to the ICO. However, you should document your procedures in order to justify your decision.
You must report the breach without undue delay and within 72 hours. Should you fail to do so you will be required to give your reasons. You must include certain details in the report.
1/ contact details of the data protection officer if you have one. If not then a contact point,
2/ the nature of the breach, to include the number of individuals concerned and the number of personal data records,
3/ the likely consequences of the breach,
4/ what measures you have taken and what your plans are to mitigate the adverse effects of the data breach.
If, as is likely, you don’t have all the information required, then you should tell the ICO of what you have done and what you are going to do to obtain the details.
Most commentators have advised that you depersonalise your email marketing lists when you are working on them. However, if the breach is a ‘high risk’ one then you should inform those concerned without undue delay, and probably before the ICO. What constitutes a high risk is down to you to assess, but the need for individuals to protect themselves from the effects of the breach is something to consider.
Use clear, plain language to explain the risks, give details of a contact point, and the likely consequences of the breach. Where appropriate, you should indicate what measures they should take to mitigate the likely effects.
We mentioned records earlier on. This is a new requirement of the GDPR. Don’t look upon it as a stick for the ICO to beat you with, although it is something they will use to check compliance. It is more of a defensive measure.
Record all the details of the breach, including the immediate steps you took to verify the breach, and what you considered the likely effects and why; always why.
Whether it was human error that caused the breach or a criminal act, everyone in email marketing should know what procedures to follow.