June 28, 2018
Authored by: Sarah Delon-Bouquet, Adam Turner and Emmanuelle Mercier
Welcome to the third post in our ‘GDPR HR Issues’ blog series. Drawing on key insights from across Bryan Cave Leighton Paisner’s global Employment & Labor team, the series highlights key GDPR issues affecting employers.
This blog focuses on new obligations imposed by the GDPR to notify the relevant supervisory data protection authority (“DPA”) and those individuals whose data have been violated, when an employer becomes aware of a violation affecting personal data that it processes (a “data breach”).
If an employer discovers that the personal data it holds concerning its employees is, for example, accidentally accessed by a third party without authorization, what practical steps should it take to manage such a breach?
- What is a “data breach”?
A personal data breach occurs when a breach of security affects the personal data’s confidentiality (unauthorized disclosure or access to the data), integrity (data is involuntarily or unlawfully modified or destroyed) or availability (loss of data). Data breaches can be accidental or deliberate.
- What immediate steps should an employer take when it discovers a data breach?
- Take immediate action to mitigate the breach (for example restore access authorizations where there has