Data breaches can happen to anyone, at any time. So, it’s important to know what to do in the event one happens within your organisation.
While not all breaches are created equal, there is a blueprint to follow when executing your management strategy. In this blog, we’ll provide some guidance on the steps you can take to begin managing a data breach in a coordinated manner.
How to contain a data breach
The UK GDPR introduces a duty on all organisations to report certain personal data breaches to the Information Commissioners Office (ICO) within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
You should ensure that you have robust breach detection, investigation and internal reporting procedures in place. This will help you decide whether or not you need to notify the ICO or the affected individuals, or both.
You must also keep a record of any personal data breaches, regardless of whether you are required to notify them.
What constitutes a personal data breach?
To be clear, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. For more information, read our blog: What is a data breach?
What to do if your organisation suffers a breach
If you have a data breach, the first thing to do is stop and assess the situation.
- What happened?
- When did it happen?
- When and how did you discover the breach?
- What categories of personal data are involved?
- How many records of personal data are involved?
- How many people are affected?
- What categories of people are affected eg. employees, customers, patients, children etc
- What are the potential consequences of the breach?
- Is the breach likely to result in a high risk to the people involved?
- What actions can you take to contain the breach?
- How can you prevent a reoccurrence?
A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to individuals, such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality, etc.
This means that a breach can have a range of adverse effects on individuals, which include emotional distress and physical and material damage. Some personal data breaches will not lead to risks beyond a possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. You need to assess this case by case, looking at all relevant factors. To address the situation in as timely a manner as possible, seek advice from the experts immediately.
Should I report a data breach to the ICO?
The next step is to assess if you report the breach to the ICO or not.
When a personal data breach has occurred, you need to establish the likelihood of the risk to people’s rights and freedoms. If a risk is likely, you must notify the ICO; if a risk is unlikely, you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.
Should I inform the individuals involved?
The third step is to assess if you need to tell the individuals involved about the breach.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
A ‘high risk’ means the requirement to inform individuals is higher than for notifying the ICO. Again, you will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. In such cases, you will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effect of a breach.
Need data breach management advice?
At Sapphire – Data Protection Consultants, we can serve your organisation as an outsourced DPO, giving you essential access to data protection advice whenever you need it. Our services include comprehensive breach management advice, so you can rest assured your organisation is well-equipped to deal with such an event.
Contact us today for a free consultation.