We get past the hype about changes in Data Protection (DP) and down to the practical steps and actions that an organisation needs to take to manage personal data legitimately. Enabling you to deliver an enduring DP process.
firstcompliance for informed and practical support.
What is an Emergency Event?
An emergency or critical event is an event that requires a response within a limited time window. Dealing with these events appropriately is a Data Protection(GDPR) regulatory requirement. If these events are not managed an organisation risks exposure to harm in the form of; legal action, fines and reputation damage. In most cases emergency/critical events can be managed quickly and effectively with the appropriate processes in place.
Types of Emergency Events
A data breach in relation to Data Protection (GDPR) is the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples include lost device, unauthorised access to data or the accidental delivery of data to the wrong person or cyber attack. A cyber attack may be a criminal event and will require particular care. Notification to the DPC must occur within 72 hours of becoming aware of the breach.
Staff, Customer or Public Liability Confrontation
Updates to data protection legislation gives an individual strong rights in relation to the processing of their personal data. In the event of legal action data protection rights will often be used to establish the existence of data or to fish for a possible basis that can be leveraged. Early professional advice is advisable and will typically minimise the exposure and effort involved.
Subject Access Request (SAR)
A SAR is the request made to an organisation for personal data stored on the individual (importantly this may include CCTV). Responding to an SAR is often over complicated. Organisations must validate the identity of the subject, seek clarity from them if need be, take reasonable effort to identify personal data, review the data, deliver data together with other statutory information to the subject only. All within one month. Many norms regarding what needs to be disclosed or what is exempt have been established.
State Authority Access Request (SAAR)
A SAAR is a State Authority (police, customs or revenue request) request to data an organisation may store on individual. These requests are always on foot of a legal requirement and may result in you having to appear in court as a witness. Poor process may collapse a case or expose you to unlawful disclosure.You need to know how to react ‘when the authorities come through the door’.
Have a set of simple processes in place to manage and record Data Protection events. These should be easily understood and accessible. Keeping it simple and getting the basics right will protect an organisation form harm. Time is always of the essence in these events.
If in doubt contact First Compliance without delay for experienced support in your emergency event response.
Top Tips to De-risk Emergency Events
- Ensure contracts (customer and staff) and notices are in line with GDPR regulation.
- Train staff to recognise a breach or access request event.
- Know your purposes for processing data. Data used without a specified purpose may leave you open to liability.
These three items are likely to significantly reduce your exposure to an emergency event.