Ordinarily at this time of year, I advocate a total switch off from all things work. However, the one thing that does not take a break over the Christmas period is the obligation to report a data breach to the Data Protection Commissioner. All data breaches must be notified within 72 hours.
A breach is reportable where it is likely to result in a risk to the rights of the affected individuals. It is important to assess the type, scale and potential consequences of any breach. Breaches are assessed in the following categories:
- Low Risk: The breach is unlikely to have an impact on individuals, or the impact is likely to be minimal.
- Medium Risk: The breach may have an impact on individuals, but the impact is unlikely to be substantial.
- High Risk: The breach may have a considerable impact on affected individuals.
- Severe Risk: The breach may have a critical, extensive or dangerous impact on affected individuals.
If the breach is deemed reportable, a notification must be made via the DPC website without undue delay. Information must be provided on the form, and the DPC may seek further information. It is important to respond fully and within the timeframe provided.
If the breach results in no risk to the rights of the data subject, it is not reportable but the organisation must keep a record of the breach and take mitigating steps.
This article is for information purposes only, and is not intended to be relied upon as legal advice. If you experience a data breach, feel free to contact Fitzsimons Redmond and we will help you assess the impact and guide you through the notification process. You can contact us on 01 6763257.
By Lisa Quinn O’Flaherty
Solicitor at Fitzsimons Redmond