In anticipation of Brexit, a new domestic data privacy law called the UK-GDPR took effect on January 31, 2020, alongside the Data Protection Act of 2018 and the PECR which governs all processing of personal data inside the United Kingdom.
The UK-GDPR is similar to the EU’s GDPR. It requires your website to obtain the explicit consent from users before processing their personal data via cookies and third-party trackers. It requires you to safely store and document each valid consent and requires your website to enable users to change their consent just as easily as they were given. It also gives a set of rights to UK users, chief among them the right to delete and the right to have corrected already collected personal data.
What is a Personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. Personal data breaches can include:
i. access by an unauthorised third party.
ii. deliberate or accidental action (or inaction) by a controller or processor.
iii. sending personal data to an incorrect recipient.
iv. computing devices containing personal data being lost or stolen.
v. alteration of personal data without permission and
vi. loss of availability of personal data.
A data breach occurs when the data for which your company/organisation is responsible suffers a security incident resulting in a breach of confidentiality, availability, or integrity. In short, there will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted, or disclosed- if someone accesses the data or passes it on without proper authorisation or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
What data does your organisation hold?
Identifying what data your organisation holds, where it comes from and what you do with it is a crucial part of the UK-GDPR compliance. This could include data such as-
i. Names, email addresses, address records.
ii. Bank details, credit card details, mobile phone numbers.
iii. Data on social media, internal/external employee, supplier and client data.
iv. What Offices internationally hold , marketing and order history in the Cloud, third parties information shared.
What must a company do when there’s a data breach?
Data breaches only need to be reported if they pose a risk to the rights and freedoms of natural living persons. This generally refers to the possibility of affected individuals facing economic or social damage (such as discrimination), reputational damage or financial losses. Most data breaches fit into this category, but those that do not include information that are linked to a specific individual are unlikely to pose a risk. Whether you are required to report a data breach or not, the GDPR mandates that you keep a record of it. In case, it poses a risk to the rights and freedom of the people then, the company must-
i. Notify the ICO (in the UK) of certain types of data protection breaches.
ii. Report such breaches without undue delay and within 72 hours of becoming aware of the breach, where feasible (even if you do not have all of the details yet).
iii. Where the breach poses a high risk of adversely affecting individuals’ rights and freedoms, notify the individual of the breach without undue delay.
iv. Keep a full internal breach register. Organisations who do not already have internal procedures for managing data protection breaches should consider adopting formal procedures.
How to complain and claim compensation?
The GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law. This includes both material damage (e.g. you have lost money) or non-material damage (e.g. you have suffered distress). It is not always necessary to have a court claim to obtain compensation. the organisation may simply agree to pay it to you. However, if it does not agree to pay, your next step would be to make a claim in court. You should write to the organisation before you start court proceedings. Then the court would decide the case. If it agreed with you, it would decide whether or not the organisation would have to pay you compensation.