Under GDPR, data controllers must report data breaches. These breaches entail “the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data,” according to the Information Commissioners Office, (ICO) and can occur from several intrusions. These breaches can vary from hacks, to human error, to loss of equipment, and so on.
Whilst the rules about exactly what constitutes a data breach are complex, the ICO should only be notified when the breach involves personal data. “Any data which if leaked or hacked could compromise the privacy of individuals need to be considered high-risk,” Mike Shaw, Managing Director of Validium, warns. This includes sensitive data relating to where an employee lives, any criminal convictions, health records, financial details and absence records relating to their mental health. Other types of breaches may require you to notify a sector specific regulator.