Preparation for the GDPR (#9 of 12)

[Lauren]

Following on from a forum question I thought it might be helpful to go through some of the issues that you might need to take into consideration in preparation for the GDPR that comes into effect next year.
I have been using this document as the basis of this piece: Preparing for the General Data Protection Regulation (GDPR). 12 steps to take now [ ICO. V.20 201700525]
Thing you need to know:
•    GDPR stands for: General Data Protection Regulation
•    The new regulation comes into effect from 25th May 2018
•    Much of it is the same as the current Data Protection Act requirements - however some things are different, and you need to know about them!
Something you need to do first: Work out who in your team will be able to help make sure you're compliant. It's probably good to have at least a couple of you working together so you can help each other out. 

You may also want to designate a Data Protection Officer. They will be able to advise you and check that you have done everything you need to. Not every setting will need this though - we'll come back to whether you do in post #11.
This is what early years settings might like to think about in preparation. 
•    Use the '12 steps to take now' document to audit what they already do to meet data protection requirements. 
•    Use the audit sheet to document the audit process
•    Collate details from 'To Do' list - make action plan 
•    Complete action plan!
This is #9 of 12 threads which will help you think about what you need to do to be ready for 25th May and is about data breaches – so what counts as a data breach, and what should you do if you think one has occurred.

What is a data breach?
Almost anything that causes personal data to be destroyed, accessed by someone who shouldn’t be able to access it, or changed in a way in which it shouldn’t have been changed is a data breach. It doesn’t matter whether it was accidental or malicious.
  
Some examples of that might be; accidentally permanently deleting or shredding the document where you store the email addresses for all your relatives; publishing a list of the names of your staff members, their postal addresses, and their NI numbers on your website; or being broken into and paperwork with children's names and addresses having feasibly been accessed – if they were in an untouched, locked safe you could reasonably expect that they hadn’t been accessed, but if they had been scattered over the floor you can tell that the data on them could easily have been read.

Who do you need to tell?

In cases where the data breach might affect the person it’s about (either economically or socially), you need to inform them personally and the ICO without delay and within 72 hours at the most. You can, and should, continue to investigate after informing them, but it is important that you do it within the 72 hour time frame, even if you can’t give them all the details straight away.

If you’re confident there will be no adverse effects from the breach and you know you can justify that opinion, you don’t have to tell either the ICO or the data subject.  

For example, if you lost a piece of paper which had children’s initials on and their Christmas lunch choice then you can be pretty sure that the loss won’t really matter. But, if that list is on school headed paper, has their full names on, includes details about some medical conditions for a child, and says who is entitled to free school meals, then you would want to report it.

If you are using a processor (for example an IT company) to hold onto some of the data you’re a controller for and they have a breach, they will need to tell you and you will need to inform the ICO and the people the data is about.

What to do after a breach?

Make sure you keep a record of the breach, even after your investigation has been completed with some details about what was lost and how it happened. As well as being able to refer back to it, it might help you to put processes in that make sure it the same thing doesn’t happen again.