To report or not report – GDPR implications if you are hacked 

If business contacts or friends start to receive emails from you which are obviously spam or phishing, then the chances are that your email has been hacked or that some form of virus or malicious software has found its way onto your computer and account. This is a fairly common occurrence and whilst the obvious steps may be to notify IT, change passwords and inform contacts, would you consider the GDPR? Could this intrusion be a personal data breach?

If someone has accessed your account, then depending upon its contents, they may have had access to personal data too, for example contact details, email addresses and of course the data within any emails in that account. Personal data breaches, as defined by the GDPR, include breaches of security leading to access to personal data that is transmitted and stored, so fit squarely within this situation. 

If there has been a data breach, whilst the temptation might be to hope that there are no adverse consequences, the GDPR imposes self reporting duties. A controller is required to report a personal data breach to the ICO unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The risk is therefore something that has to be reviewed, depending upon the data potentially accessed and its implications. Even if a decision is reached not to report the matter, documented evidence must be retained of the breach and decision. An organisation may also in some circumstances be required to notify the individuals concerned, albeit that this is more where there is a high risk and can be avoided in some cases by appropriate technical and organisational measures.

Compliance with the GDPR must be by design and default, and demonstrable. It is therefore essential that businesses have appropriate documentation and processes in place to demonstrate the technical and organisational measures that apply. These measures should be under regular review, documentation should be kept up to date, resources should be available to staff so that they know what to do in these situations as well as offering a training tool for new staff and a point of reference for existing staff.

Lawspeed can assist with advice on the GDPR, compliance and documentation and training to help support compliance.  For advice on GDPR contact Lawspeed on 01273 236 236.

Are blanket assessments under IR35 part of HMRC’s plan?
SPA transparency wins support from agencies