UK 
United States
Under GDPR, data controllers must report data breaches. These breaches entail “the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data,” according to the Information Commissioners Office, (ICO) and can occur from several intrusions. These breaches can vary from hacks, to human error, to loss of equipment, and so on.
Whilst the rules about exactly what constitutes a data breach are complex, the ICO should only be notified when the breach involves personal data. “Any data which if leaked or hacked could compromise the privacy of individuals need to be considered high-risk,” Mike Shaw, Managing Director of Validium, warns. This includes sensitive data relating to where an employee lives, any criminal convictions, health records, financial details and absence records relating to their mental health. Other types of breaches may require you to notify a sector specific regulator.
Furthermore, organisations only have 72 hours to report a breach to the ICO and need to include details of the breach, individuals implicated, type of breach and records involved. Therefore, developing a breach response strategy is important, especially considering that failing to notify a breach can result a monetary penalty up to the value of £500,000. However, depending on the severity of contraventions, fines can escalate to £17million (€20 million) or four per cent or annual global turnover.
The Uber case illuminates just how seriously GDPR should be taken. In 2016, the ride-hailing firm fell victim to a hack, which compromised personal data of 57 million customers and drivers. However, instead of being transparent, the firm paid the hackers £75,000 to delete the personal stolen data and Uber concealed the incident for a whole year. If this delayed breach report happened whilst GDPR was in force, the speculated costs would “likely be in the tens of millions” according to Dean Armstrong, Cyber Law Barrister at Setfords Solicitors, SC Media UK reports.
