GDPR Myth Busting – So we just won’t tell them

Compulsory breach notification is in place.

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

You must keep a record of all personal data breaches.

You have to notify the ICO of a breach unless it is unlikely to result in a risk to the rights and freedoms of individuals. This has to be done without undue delay, but not later than 72 hours after becoming aware of it.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must also notify those concerned directly and without undue delay.

If you are a data processor you are under an obligation to notify the data controller, but not the ICO.

So for example not using the bcc function on an email to a number of recipients is a potential data breach. This should be recorded but will not need to be reported to the ICO unless the email contains information which has a privacy risk such as home address details. If the email contained bank account details there is a potential for fraud and this would need to be reported to the ICO and the individuals concerned.

PS if you get an email that should have been bcc’ed do not hit ‘reply all’ to tell the sender of the issue as you are committing a data breach yourself.

Find out more