Obséy International Chief Executive, Léon Atkins, presented at the GDPR Europe Roadmap for Business, hosted by GDPR:Summit in London on 20th November.

With the deadline for GDPR compliance looming, Léon’s focus was on personal data breaches and the breach notification and sanctions regime.

In the context of breaches, Léon’s advice was: “Be prepared!”

“The Article 29 Working Party’s Guidance on Personal Data Breaches makes it clear that a lack of preparation for a breach risks doubling down on the sanctions that might be applied in respect of that breach. Indeed, they make it clear that “failure to notify a breach could reveal either an absence of existing security measures or an inadequacy of the existing security measures” and that they are two separate infringements.”

Léon also highlighted that a personal data breach did not require an associated security incident:

“If there has been any loss of confidentiality, availability or integrity of personal data, then there has been a personal data breach, regardless of the cause, and that has to be notified to the supervisory authority (unless it is unlikely to result in a risk to the rights and freedoms of the individual), as well as notified to the data subjects if there is a high risk to their rights and freedoms.”

Finally, Léon reiterated the need to document personal data breaches, even those that do not require notification:

“GDPR, as well as good practice, dictates that when something goes wrong it must be documented, and that the documentation process is used to facilitate a root cause analysis and subsequent process for resolution. If something goes wrong, but is not properly rectified to avoid future failure, the sanction risk to the organisation rises proportionately”.