One month on from the change in data protection laws, local organisations are responding to the higher standards expected of them under the new legislation.
When data protection is done well it builds and maintains trust between organisations and the individuals whose data they hold. We are encouraged that local organisations are extending that trust to us as the regulator by letting us know when things haven’t gone to plan.
Under the new legislation (the Data Protection (Bailiwick of Guernsey) Law, 2017) local organisations have a legal obligation to report a data breach to us within 72 hours of them becoming aware of it. In the four weeks since the law changed, we have received reports of seven low risk data breaches. We are encouraged by this as it is clear evidence that these local organisations take their responsibilities in respect of the new legal obligations seriously, they know how to respond accordingly, and that they are confident that we as the regulator will respond constructively.
Guernsey’s Data Protection Commissioner, Emma Martins commented on breach reporting’s role in improving data protection practices: ‘The key message for local organisations is that we will work positively and constructively with you in the event of a data breach, to improve compliance, for the benefit of everyone. Statutory breach reporting is new and we are here to support local organisations through the process. The breach reporting obligation exists to ensure that organisations recognise the importance of compliance and invest in systems that provide maximum protection for what is probably the most valuable asset they hold – personal data. We have been encouraged by the preparedness of local organisations, particularly by those who have evidenced an effective data breach response plan. We are grateful for the insight that breach reports provide us, as they alert us to issues early, and provide invaluable insight into the risk environment. This helps us to target our resources to support better compliance across the Bailiwick.’
What is a breach?
A personal data breach is defined in section 111(1) of the Law as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
There will likely be a breach whenever any personal data (including any special category data) is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.
ne of the key differences between the previous law and the new law is that breach reporting is now mandatory, rather than voluntary. We categorise each breach we receive depending on severity – the seven breach reports we have received in the month since the law changed have been ranked as low risk. This means that the breaches are unlikely to cause harm to the person whose data has been disclosed accidentally. The breach reports we have received predominantly relate to organisations unintentionally sending personal data to the wrong recipient (for example, by software autocompleting an email address and the user not checking before they send the email).
Action points for organisations after a personal data breach
Action we take following a reported breach
- Read: our breach reporting guidance document (includes checklists and templates)
- Let us know the breach has occurred – via our secure online breach reporting mechanism
- Take steps to limit the damage. Where appropriate, advise the person who received the data in error that they should delete the data and must not make use of or disclose the data to anyone else
- Consider whether it may be necessary or appropriate to report the breach to any other regulatory or law enforcement agency
- In some cases you will need to notify the person whose data was disclosed in the breach
- Ensure your organisation reviews and learns from what has happened
- We record the breach, securely and confidentially, and assess its severity
- We contact the organisation to confirm receipt of their breach report and discuss what happens next (each report is assessed on a case by case basis)
- Where necessary we may need to communicate with other data protection authorities, if the breach is likely to affect people outside of our jurisdiction
We are working to improve our online breach reporting mechanism – if you have any comments to feed into this work please let us know via email@example.com