GDPR guidance on personal data breaches

26 January 2018

The ICO has expanded their General Data Protection regulation (GDPR) guidance page on personal data breaches which includes useful checklists on preparing and responding to a personal data breach.

Three new pages have also been added to the lawful basis section of ICO’s guidance. You must have a valid lawful basis in order to process personal data and there are six available:

  • Contract
  • Legal obligation
  • Vital interests
  • Legitimate interests
  • Special category data
  • Criminal offence data

The ICO has added three new pages in the lawful basis section, covering contract, legal obligation and vital interests.


CIPP comment

GDPR (General Data Protection Regulation) should be on the radar of all businesses – it comes in to force on 25 May 2018 and applies to all EU and foreign companies that offer services to individuals in the EU (regardless of what happens with the Brexit negotiations). Sanctions for non-reporting of a data breach under GDPR are steep – up to approximately £7m or 2% of global turnover, whichever is greater.

The CIPP’s Policy News Journal (a benefit for members only) contains all the latest information on GDPR – go to My CIPP on our website to access the journal.

The CIPP also run a half day training course which will help delegates understand and prepare for the changes, including how they affect payroll and HR functions, so that they can help their organisations become fully compliant by 25 May 2018.