Outsource GDPR Breach Management ?

If you've seen the film Pulp Fiction, then you know it's a procession of loud characters and one liners. Harvey Keitel is no exception, playing Winston Wolfe - The Fixer

"I'm Winston Wolfe and I fix problems!"

He also plays Victor the Cleaner in "Point of No return".  Similarly to the characters he plays, he knows his role inside out and gets the job done efficiently and with minimal fuss.

What these cleaners/fixers have in common is their specialist skills in crisis management.

Now I'm not implying organisations will ever have a crisis of the sort where Harvey needs to barge through the door, but there may be instances that require skilled interjection, at short notice, to manage an issue within a tight timescale. Bring on GDPR breach notification.

This is the closest compliance gets to exciting, so forgive my indulgence and let me make the most of it.

The GDPR brings with it regulations concerning data breach notification that must be adhered to, or the data controller concerned could face a fine of up to £10,Million, or 2% of global group turnover, whichever is greater.

Article 33 (Breach notification to Statutory authority)
Article 34 (Breach notification to Data Subject)

The ICO provides a concise overview of breach notification on their site, click here to navigate, but in essence you will need to:

Investigate the breach

Qualify whether the breach requires Statutory Authority notification

Notify the Statutory Authority, in the UK that's the ICO, as soon as possible, or within 72 hours of awareness of the breach.  This is actual hours, not working hours, or opening hours, so I guess Friday isn't a good breach day.

Include relevant information within the notification such as:

  • Nature of the data
  • Categories and numbers of individuals
  • Categories and number of records
  • Name of Data Protection Officer, if you have one.  Let's hope they're not on holiday
  • Description of the likely consequences of the breach
  • Description of the measures taken to mitigate adverse effects

All this takes time, skills and knowledge, all of which you will be short of.  Hence a fixer maybe a good solution to your breach notification, especially if its included as part of a DPO as a service offering.

Leave a Reply