The GDPR is regulated by the supervisory authority, The Information Commissioner’s Office (ICO).
There are strict time frames for notifying the ICO of any breach.
Data controllers must notify the ICO of a personal data breach in which there is a risk to the data subject’s rights no later than 72 hours after becoming aware of it. The notification must include:
- The nature of the breach
- The name and contact details of your Data Protection Officer (DPO)
- The likely consequences of the breach
- Measures taken or proposed to be taken to address and mitigate the breach.
Fines under the GDPR
A number of factors will be taken into account by the ICO when deciding the level of fine. Given that the fine can be 4% of the total worldwide annual turnover (note not profit), these could be critical to the survival of a business. These factors include:
- Nature, duration and gravity of the breach
- Whether it was intentional or negligence
- What damage was caused
- Mitigation steps taken
- Existing safeguards implemented
- The degree of co-operation with the ICO
- Whether the matter was reported by the company
- Any other similar breaches by the company
- Any other mitigating factors
Seeking advice promptly and responding to the breach quickly with a clear plan of action is vital.