The General Data Protection Regulation (GDPR) is a law that came into action in the UK in 2018. It’s based on an EU law of a similar name and is the main piece of legislation when it comes to data protection. The law has seven key principles for data collection that are underlined by lawfulness, fairness and transparency.
The first thing you should be aware of is that a data breach isn’t just a stereotypical hack. It’s any case in which data might be accessed without the consent of those involved. This breaches the GDPR as it may harm the integrity of the data. If an employee sends a database to their friend to look over, this is considered a data breach, as that friend does not have consent.
Data breaches can also include any unauthorised changes to the data. If you are in any doubt over whether something counts as a breach, make sure to double-check! Don’t leave your data security to chance.
But what happens when an employee ignores one of these principles?
What are the consequences of breaching the GDPR?
The UK GDPR says all organisations should report certain personal information breaches to the ICO within 72 hours. This is any breach that has a risk to the rights and freedoms of those concerned.
In certain cases, they may also need to report the breach to any individuals who are affected. This is any case in which there is a high risk to the rights and freedoms of those involved (particularly anything involving special category data). For example, if a hospital loses important health data, they may have a duty to inform their patients.
Every organisation should have protocols in place to deal with such a leak. According to the GDPR, they should have a Data Protection Officer (DPO) who is fully versed in the principles of the GDPR. This person should oversee the company’s strategy and make sure it is fully compliant.
Any reaction to a data breach should include measures for detection and investigation. Even if the breach is not reported, the company must make a note of this decision and be able to justify it. The GDPR values good internal processes as much as it values perfect outcomes.
Breaching the GDPR can have major consequences for the company involved. They are at risk of a hefty fine and damage to their reputation. As a result, they naturally want to get to the root of the problem. If this root is an individual employee, that person might face disciplinary actions.
What happens to the employee who breaches the GDPR?
Every organisation should already have a protocol in place to deal with an employee who breaches the GDPR. First of all: check the company articles and employment contracts. Most companies have a written statement on what will happen in this case. HR should not be making up the consequences as they go along.
In general, the impact will depend on the nature of the breach. There are many ways you can breach the GDPR and so the consequences will vary. An intentional leak is very different from a one-off accident. The company’s review should look into the cause of the breach so it doesn’t happen again.
Some data breaches may be unintentional:
- The employee sends an email to the wrong address.
- The employee has their work laptop stolen at gunpoint.
Others may be deliberate neglect:
- The employee uses their phone to respond to work emails.
- The employee forwards emails to their personal email address.
Others may be intentional leaks:
- The employee gives data to a competitor.
- The employee alters data because they do not like the results.
Each of these will encourage a different level of reaction from the company. Some of these are clearly grounds for dismissal while others are less clear. In the most serious cases, data breaches may even result in a lawsuit.
However, the company will be aware of damage to their reputation and so want to deal with the issue as quickly and efficiently as possible. As with many things, prevention is better than a cure. Employees should be fully aware of the GDPR and its principles from the start.