- Business Advice
Peninsula Group, HR and Health & Safety Experts
(Last updated )
Peninsula Group, HR and Health & Safety Experts
(Last updated )
What should you do if an employee makes a data protection breach? GDPR laws mean it's potentially a serious issue. This guide explains how to handle the situation.
Jump to section:
As your online presence increases, so does the risk of people stealing your personal data.
And if you're an employer, your business needs secure data protection. Otherwise, you're at high risk of suffering legal action, GDPR fines and reputational damage.
Personal data breaches are a threat to your business. Which is why you must follow the law accordingly.
In this guide we’ll explain what GDPR is, how to avoid a data breach, and how to comply with UK law.
GDPR stands for general data protection regulation. And aims to give more control to individuals when it comes to their data.
The law came into effect in 2018. And applies to EU countries, as well as the UK.
Every business should follow GDPR.
GDPR laws outline three personal data factors to consider:
● Data subjects: This is who the personal data relates to.
● Data controllers: This is the individual or business who decides what data to collect and how.
● Data processors: This is the individual or business who processes personal data for the controller.
The Data Protection Act is a UK law that controls how businesses and organisations manage your personal data.
Organisations, businesses, and even the government have a legal responsibility to protect personal data.
Any person or employer storing this data should follow the data processing principles. Which you can find under the Data Protection Act.
Data processing principles are a set of strict rules. They act as a guide to storing personal and sensitive personal data safely.
The seven data processing principles are as follows:
Compliance with these principles is a good start for those storing personal data. And those looking to implement strong data protection practices.
Under UK GDPR, data subjects have certain rights in regards to how third party services process and control their personal data.
These rights include:
Personal data refers to information about an individual. Information about companies, organisations or public authorities is not personal data.
The law states that stored personal data cannot:
Examples of personal data include:
An identifiable factor is a recognizable detail of a person. If processed data includes an identifiable factor, this breaches GDPR.
Identifiable factors include:
The Data Protection Act provides a list of identifiers should your business need to refer to it.
You should ensure you are GDPR compliant when dealing with the personal data of employees and customers. To be compliant with GDPR, you should ensure you follow certain practices.
Let's explore these examples in more detail.
You should obtain consent when storing personal data.
Lawful consent will:
For example, an employer may want to obtain consent from their customers for marketing purposes.
To do this, they may send an email giving customers the chance to confirm their marketing preferences. This will give them the option to opt-in or out to future marketing communication.
To process personal data, you must have a valid lawful basis. You do not have a lawful basis for processing if there is another reasonable and less intrusive way to achieve the same result.
There are six lawful bases under UK GDPR.
A data subject can override these bases if the information is special category data.
Special category data is also known as sensitive data. Processing special category data has a higher risk than any other type of data.
Because of its sensitivity, special category data needs to be processed and collected differently. This means following certain conditions.
These conditions include:
There are a number of security measures you can take as an employer to maintain data protection.
Let's explore these measures in more detail.
In order to see how GDPR compliant your business is, you should conduct a GDPR audit.
An audit will assess which parts of your business aren't following GDPR rules. And reveal the status of your current information security. It will also identify where there is risk of a personal data breach.
A UK GDPR team or third party can conduct the audit. And provide an objective view of your company's data processing. They will also provide guidance on how to improve your company's GDPR compliance.
GDPR audits are not a 'one-off' practice however, and your business should schedule one every year.
The role of a data protection officer (DPO) is to make sure that data processing is done in accordance with GDPR.
They are in charge of the decision making behind data safety measures. And must manage legal compliance, as well as liaising with the official authority.
A DPO will advise on how to improve your company's data protection and processing policies. As well as implementing their own organisational measures to keep personal data protected.
They can also answer questions from employees about their processing activities and data security.
Any organisation can hire a DPO, but your company should appoint one if they:
Should a personal data breach occur, a DPO will act without undue delay.
A personal data breach is an incident that leads to the accidental or unlawful loss of personal data.
This includes the alteration and unauthorised disclosure of personal data. As well as unauthorised access to a person's information.
Under UK GDPR, if a security incident takes place at work, the individual or business needs to establish whether a breach has occurred.
Personal data breaches have a negative impact on the natural persons targeted. And can result in many possible adverse effects.
These effects include:
Responding to the breach in a timely manner will mitigate these adverse effects. Especially if you have a breach procedure in place.
If your company suffers a security incident, don't panic. Instead focus your attention on reducing the adverse effects of the personal data breach.
As an employer, there are a number of steps you need to take.
Let's discuss how these steps work in more detail.
If your company receives a personal data breach notification, you should work out what actually happened. This means finding out the who, what, where, why and how.
To work this out, you need to ask the following questions:
You should also consult the data processor and data controller within your business. They will be able to shed light on the cause of the breach. As well as disclosing the personal data records concerned.
The DPO or other contact point at your business should also be aware of the personal data breach. And have a response plan to mitigate the possible adverse effects.
Next, it's important you contain the personal data breach as much as possible.
For example, if you sent an email with confidential contact details about an individual to the wrong person, you could ask them to delete it.
But, more severe personal data breaches require remedial action.
The law requires you to report a breach to the ICO.
The ICO is the UK's data protection regulator and supervisory authority for GDPR compliance. They can investigate the incident and determine who is at fault.
The report must include the approximate number of data subjects affected by the breach. As well as the type of data breached.
Ensure you report the incident without undue further delay. The report should be done within 72 hours of the data breach.
If your company receives a personal data breach notification, you will need to take remedial action to work out if the breach is low or high-risk.
This means considering the following elements:
If you want more information about conducting a risk assessment, check out our guide.
Your company may suffer a personal data breach that jeopardizes the rights and freedoms of individuals.
If so, UK GDPR states you should inform them without undue delay. This includes advising them of the immediate risk of the breach.
This will help them take steps to protect themselves from the consequences.
A GDPR breach is a criminal offence.
No matter how well you manage a personal data breach, it is still GDPR infringement. And non-compliance means your business could face criminal action.
Examples of criminal action include:
Let's explore these examples further.
The ICO may issue a fine if a business breaches GDPR.
Under the UK law, there are two tiers of administrative fines a business can receive for breaching GDPR.
The ICO conducts a discretionary and case-by-case basis when issuing fines.
If your business suffers a personal data breach, the data subjects affected may want to take legal action. These subjects may include employees, customers and business partners.
Subsequently, your business may endure reputational damage as a result. And, this could mean more financial loss for your company, if you lose clients and customers as a result.
It may also result in lack of employee trust. Employees may not feel their information is secure due to the personal data breach.
This may increase employee turnover until you implement proper security measures.
In more severe cases, breaching GDPR could even result in a prison sentence for company directors.
This is typically the case if the business has lost the data due to security weakness. Or, if data has been stolen from an employee within the business.
As an employer, you should have a safe approach when storing the personal data of your clients, customers and workers. Personal data includes contact details, employment information, or medical records.
Even someone visiting your website can provide you with their information, and you're responsible for keeping that data safe.
If you don't have a safe approach in place, your business may suffer a large data breach, which can mean losing customers, as well as a financial loss from GDPR fines.
Peninsula offers you expert 24/7 HR advice and support, helping you to protect your employees and customers' personal data. Contact us on 0800 158 2312.
Got a question? Check whether we’ve already answered it for you…
See for yourself why Peninsula is the UK’s favourite HR and health & safety provider. Tap below to unlock free advice, policies, e-learning, and more.