Welcome to the third post in our ‘GDPR HR Issues’ blog series. Drawing on key insights from across Bryan Cave Leighton Paisner’s global Employment & Labor team, the series highlights key GDPR issues affecting employers.

This blog focuses on new obligations imposed by the GDPR to notify the relevant supervisory data protection authority (“DPA”) and those individuals whose data have been violated, when an employer becomes aware of a violation affecting personal data that it processes (a “data breach”).

If an employer discovers that the personal data it holds concerning its employees is, for example, accidentally accessed by a third party without authorization, what practical steps should it take to manage such a breach?

  • What is a “data breach”?
  • A personal data breach occurs when a breach of security affects the personal data’s confidentiality (unauthorized disclosure or access to the data), integrity (data is involuntarily or unlawfully modified