Steady number of very low-level data breaches

The Office of the Data Protection Commissioner (ODPC) informs as part of its routine statistics reporting that in the three months up to 18 August 2018, there were 32 self-reported, personal data breaches, most of which are very low-level and require no further action. The ODPC confirms that within the steady number of breaches reported, a small number were more significant or involved more than one jurisdiction necessitating coordination with other regulatory authorities. On these cases, the ODPC continues to be actively engaged with the data controller. The reporting of data breaches is in line with section 42 of the Data Protection (Bailiwick of Guernsey) Law, 2017, which requires organisations processing personal data to notify the ODPC of any personal data breach. This new statutory obligation for data controllers, which has been in force since 25 May 2018, aims to provide the ODPC with timely information, as well as ensuring transparency and accountability for those handling personal data. In response to the new law, the ODPC aims to utilise and publish the information that is reported as much as possible. Data Protection Commissioner, Emma Martins, confirmed that the breach reports are already proving helpful for the ODPC to gain insights in to real-world risks and to raise awareness within the community to help them mitigate and respond to those risks going forward.

‘It is vital that we build a strong, respectful and constructive relationship with the regulated community. We recognise that reporting breaches requires them to trust us to do our job with absolute integrity. This is not about naming and shaming organisations when things go wrong. It is about building a positive and meaningful relationship; one which recognises that that our collective learning about the very real risks to individuals of poor data handling allows us to take important, preventative action and significantly improve our outcomes,’ said Mrs Martins.

Action points for organisations after a personal data breach

• Read: our breach reporting guidance document (includes checklists and templates)
• Let us know the breach has occurred – via our secure online breach reporting mechanism

• Take steps to limit the damage. Where appropriate, advise the person who received the data in error that they should delete the data and must not make use of or disclose the data to anyone else
• Consider whether it may be necessary or appropriate to report the breach to any other regulatory or law enforcement agency
• In some cases you will need to notify the person whose data was disclosed in the breach

• Ensure your organisation reviews and learns from what has happened

Action we take following a reported breach

• We record the breach, securely and confidentially, and assess its severity
• We contact the organisation to confirm receipt of their breach report and discuss what happens next (each report is assessed on a case by case basis)
• Where necessary we may need to communicate with other data protection authorities, if the breach is likely to affect people outside of our jurisdiction