If you know or are unsure if a data breach has occurred, you must inform dataprotectionofficer@north-ayrshire.gov.uk immediately.
Why? As an organisation, the Data Protection Officer (DPO) only has 72 hours from the organisation being aware of the incident, to assess if the incident is reportable to the Information Commissioner’s Officer (ICO – the data protection governing body).
What if you are unsure if it is a breach or not? The DPO can still report advising we are unsure if it meets the criteria of a breach until we do further investigation. A follow up report can then be submitted with the final outcome.
Why report if we are unsure, why not wait until we know? To ensure that we comply with the UK Data Protection Regulation (UK GDPR) we have a legislative obligation for the DPO to assess and report within 72 hours. If we report too late, this can result in action being taken against the Council by the ICO.
