You have procedures to assess all security incidents and then report relevant breaches to the ICO within the statutory time frame.
Ways to meet our expectations:
- You have a procedure to assess the likelihood and severity of the risk to individuals as a result of a personal data breach.
- You have a procedure to notify the ICO of a breach within 72 hours of becoming aware of it (even when all the information is not yet available) and you notify the ICO on time.
- The procedure includes details of what information must be given to the ICO about the breach.
- If you consider it unnecessary to report a breach, you document the reasons why your organisation considers the breach unlikely to result in a risk to the rights and freedoms of individuals.
Can you answer yes to the following questions?
- Are staff aware of the policies and procedures and are they easy to find?
- Do staff understand how to conduct the risk assessment?
- Do they know when a breach needs to be reported to the ICO?