With cyber security attacks on the increase, the recent announcement that the Dutch DPA has fined Booking.com for reporting a data breach 22 days after it should have done, is a timely reminder of the need to act quickly to assess data breaches and if necessary, make a report.
Unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects, both the EU GDPR and UK GDPR require notification to the relevant supervisory authority (in the UK this is the Information Commissioner's Office) without undue delay, and no later than 72 hours after becoming aware.
In the case of Booking.com the risk to the rights and freedoms of data subjects was clear: by means of a telephone scam, criminals persuaded hotel staff to provide access to booking details of 4,109 people and credit card information of 283 people.
Link to related article: https://www.privacylaws.com/news/netherlands-dpa-fines-bookingcom-475-000/
Data protection webinar: privacy considerations for workplace monitoring
Assessing the impact of the Clearview AI decision - how clear is the future of the UK’s AI data protection law?
An evening with expedition leader and TEDx Bristol speaker, Oli France
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up
