Fortnum & Mason become the latest victim of a data breach when about 23,000 customer details, including addresses and contact phone numbers, have been hacked. The victims had either filled out a survey or took part in an online competition, organised by Typeform, a company specialising in the creation of online surveys and forms.
As reported in the independent, Typeform discovered on 27th June that an unknown third party had accessed its server and downloaded information. The company said they responded immediately and “fixed the source of the breach”.
Whilst everyone has been focusing on the impact GDPR has had regarding contacting their client database, a lot of other aspects to GDPR have been overlooked. Particularly ensuring that any data breaches that occur are handled correctly and dealt with accordingly.
Under the General Data Protection Regulations, once a personal data breach is established, if there is a risk to the rights and freedoms of individuals due to the breach, the applicable Data Controller is to:
- Notify the ICO without undue delay and by no later than 72 hours; and
- Notify the individual whose personal data is affected by the breach (save in specific circumstances).
If the notification to the ICO is not made within 72 hours, it should still be submitted but with reasons provided for the delay.
Having an updated privacy policy, and ensuring all staff is aware of the procedure they should follow for situations such as this is a great starting point.
Should you need assistance with your Privacy Policy, please feel free to contact us on 0208 5777 130
or click here to contact us.