The decision to report a data breach, either to the Information Commissioners Office (ICO) or to the data subjects themselves, remains solely with the Group’s Data Protection Officer (DPO).
It is the duty of all Group staff to report data breaches to the DPO as soon as they become ‘aware’ of a breach. Awareness is defined as when a member of staff has a reasonable degree of certainty that a security incident has occurred and that this has led to personal data being compromised.
The GDPR explains that a personal data breach can be categorised as:
“Confidentiality breach” – where there is an unauthorised or accidental disclosure of, or access to, personal data
“Availability breach” – where there is an accidental or unauthorised loss of access to, or destruction of, personal data
“Integrity breach” – where there is an unauthorised or accidental alteration of personal data
It should also be noted that, depending on the circumstances, a breach could concern confidentiality, availability and integrity of personal data at the same time, as well as any combination of these.
Further guidance and examples are available on the link below:
Please complete the details below with the incident specifics and click on the ‘submit’ button to report the incident to the data protection team.