Have you played the Data Breach game?
Over the past 12 months the noise around GDPR has gradually become louder and louder, with many businesses claiming to help with compliance or telling you of horrendous fines that you will have to pay. The ICO has started to respond to this with their series of blogs on GDPR myths, with their latest one looking at Data Breaches. This highlighted several key facts:
- only Data Breaches which are likely to result in a risk to people’s rights and freedoms need to be reported;
- the Personal Data Breaches will need to be reported on within 72 hours of becoming aware of the breach;
- certain details will need to be provided, but they will not necessarily expect a full solution at the first point of reporting;
- fines for failing to notify will be proportionate, so be open and honest.
This started me thinking about data breach procedures, which were around long before GDPR and although not mandatory under the Data Protection Act, were seen as good practice. So in most companies procedures exist or have at least been discussed, but do you know of them and what to do?
To see how effective your Personal Data Breach procedure is, a simple game like snakes and ladders can be played but based on answering a few quick questions to see if you can move forward.
- So to set the scene (lay the board) a data breach has occurred and you have become aware of it. Do you know who to raise it to?
- If the answer is yes, great report the incident and move up the ladder.
- If the answer is no, is this because there is no procedure or you are not aware of the procedure?
- If there is no procedure, game over you have landed on a snake and left the game!
- If there is a procedure but you are not aware this is like not finding the dice, you cannot even start and by time you have worked out what to do the 72 hours may have passed. Communicate the procedure and let people know what to do.
So avoid the snakes and know the rules of the game, otherwise you may lose without even realising.
So avoid the snakes and know the rules of the game, otherwise you may lose without even realising.
This is a light hearted look at a serious issue and is one of many areas to consider with GDPR, so if you need help with complete a review of your GDPR compliance please contact me through the BlacklerRoberts Ltd “Contact Us” page and I will be happy to discuss your needs. Alternatively please follow @BlacklerRoberts on twitter for further insights.
Leave a Reply