June 28, 2018
Authored by: Sarah Delon-Bouquet, Adam Turner and Emmanuelle Mercier
Welcome to the third post in our ‘GDPR HR Issues’ blog series. Drawing on key insights from across Bryan Cave Leighton Paisner’s global Employment & Labor team, the series highlights key GDPR issues affecting employers.
This blog focuses on new obligations imposed by the GDPR to notify the relevant supervisory data protection authority (“DPA”) and those individuals whose data have been violated, when an employer becomes aware of a violation affecting personal data that it processes (a “data breach”).
If an employer discovers that the personal data it holds concerning its employees is, for example, accidentally accessed by a third party without authorization, what practical steps should it take to manage such a breach?
A personal data breach occurs when a breach of security affects the personal data’s confidentiality (unauthorized disclosure or access to the data), integrity (data is involuntarily or unlawfully modified or destroyed) or availability (loss of data). Data breaches can be accidental or deliberate.
- Take immediate action to mitigate the breach (for example restore access authorizations where there has been a security failure and take such other IT security measures as necessary);
- Set up a crisis team. This should include the Data Protection Officer (the “DPO”) if the company has one (or if not, a person responsible for data privacy in the organization) as well as people from HR, Legal, IT and any other