I am working with my team in Ireland on a misdirected mail issue. The mail contained name (incorrect) address and account number only. Root cause human error in adding his account details.
The DPA in Ireland lists 4 levels of risk associate with a breach Low, Medium, High &Severe. It states ‘notification of any personal data breach to the DPC, unless they can demonstrate it is unlikely to result in a risk to data subjects’.
Do we need to notify the regulator of this breach,even if its low risk
What is a low level of risk for data breach reporting
Share
AudreyB
I recently used the assessment tool from https://www.mikemuha.com/
The DPC questioned how I had determined the category of risk and accepted this tool as my methodology.
rich
I suggest you review the following document – https://www.dataprotection.ie/sites/default/files/uploads/2019-10/Data%20Breach%20Notification_Practical%20Guidance_Oct19.pdf
The business needs to do a risk assessment (Pages 7-10, and 17) to understand the potential impacts to the rights and freedoms of the impacted data subjects (and also taking into consideration the number of data subjects impacted). If the account number, name and address and in context of other freely available public information could pose a level of risk to the individuals then, even if low, the guidance from the DPC is to report. It appears that this determination has happened and even though low it meets the bar according to the DPC practises.