Control measure: Nominated staff are assigned to oversee and make decisions on personal data breaches. They should be senior and experienced enough to make informed decisions.
Risk: Without a structured approach to decision making, personal data breaches may not be reported or uninformed decisions may be made. This may breach articles 33 and 34 of the UK GDPR.
Ways to meet our expectations:
- Allocate ultimate responsibility for assessing and reporting personal data breaches at board or senior management level.
- Allocate day-to-day management and decision-making responsibilities to oversee your response to personal data breaches, including decisions on whether to report and escalate, where appropriate.
- Designate a person or team to document the progress and actions taken in response to personal data breaches.
- Reflect these responsibilities in the relevant job descriptions.
Options to consider:
- Ensure there are effective lines of communication between the day-to-day personal data breach decision makers and staff member(s) with responsibility for resolving the threat or personal data breach.
- Capture all the appropriate information in systems documenting progress in response to a personal data breach.
- Check staff at all levels involved in personal data breach decision making and management are fully aware of their responsibilities and what actions to take.
Useful links:
ICO guidance: Personal data breaches: a guide | ICO