A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
The General Data Protection Regulations (GDPR) introduce a duty on all organisations to report certain types of data breach to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it. These are breaches that are likely to result in a risk to the rights and freedoms of individuals i.e. the breach could lead to discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. If it is judged that the breach is likely to result in a high risk to the individual’s rights and freedoms, the individual must also be notified without undue delay. In Dental Practice a breach of confidentiality is an example of something that will be notifiable to the ICO. You may find it helpful to discuss such a breach with your indemnity organisation prior to notifying the ICO.
Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
Ensure that you have procedures in place to detect, report and investigate a personal data breach.
If you discover a data breach which is likely to result in a risk to the rights and freedoms of individuals, report this to the ICO within 72 hours.
- If it is judged that the breach is likely to result in a high risk to the individual’s rights and freedoms (e.g. identity theft or breach of confidentiality), notify the individual without undue delay.
If you use an external data processor, ensure that they will report any data breach to you as soon as they become aware of it – you are then responsible for reporting the breach to the ICO within 72 hours.
This interim advice is based on resources from the Information Commissioner’s Office (ICO) website. Although every effort has been made to ensure the accuracy of this advice, SDCEP takes no responsibility for inaccuracies or omissions and does not accept responsibility for any loss, damage or expense resulting from the use of this information. Further advice on complying with GDPR can be found on the ICO website and via the EU GDPR learning resource. Your indemnity organisation may also provide information and resources to help you comply and be able to advise you regarding particular issues that may arise from GDPR implementation.