§ 26C — Duty to conduct assessment of data breach

26C.—(1) This section applies to a data breach that occurs on or after 1 February 2021.[40/2020]

(2) Subject to subsection (3), where an organisation has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, the organisation must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach.[40/2020]

(3) Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation —(a)

the data intermediary must, without undue delay, notify that other organisation of the occurrence of the data breach; and

(b)

that other organisation must, upon notification by the data intermediary, conduct an assessment of whether the data breach is a notifiable data breach.[40/2020]

(4) The organisation must carry out the assessment mentioned in subsection (2) or (3)(b) in accordance with any prescribed requirements.[40/2020]

—(1) This section applies to a data breach that occurs on or after 1 February 2021.[40/2020]

(2) Subject to subsection (3), where an organisation has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, the organisation must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach.[40/2020]

(3) Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation —(a)

the data intermediary must, without undue delay, notify that other organisation of the occurrence of the data breach; and

(b)

that other organisation must, upon notification by the data intermediary, conduct an assessment of whether the data breach is a notifiable data breach.[40/2020]

(4) The organisation must carry out the assessment mentioned in subsection (2) or (3)(b) in accordance with any prescribed requirements.[40/2020]