Disclosing security breaches in SMEs
For small and medium-sized enterprises (SMEs), the need to protect regulated data is a big enough headache. Now they must add to the pain with the coming decree under the new Data Protection Framework that when a breach occurs and such data leaks into the public domain, the breach needs to be disclosed to the Data Protection Office (DPO).
The need to disclose will be stipulated by coming changes in EU data protection regulations, which are to be implemented by in-country data protection bodies. For SMEs that centre their activity in the UK, this will be the DPO. The proposals are currently in draft form and are unlikely to be finalised for a year or two, so there is time to prepare for their likely impact in terms of ensuring the ability to comply and what might be added to a given business’s workload.