- Make sure staff are aware of what constitutes a personal data breach, and whom they must inform within the business should they become aware of a breach. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Make sure staff are properly trained to recognise when a breach has occurred and that they know which member of staff they need to contact if this happens. Even if the company does not have a formally appointed data protection officer, there should be a senior member of staff who manages data protection matters, and the identity of this person must be clear to everyone within the business.
- Have plans and processes in place to address breaches in an effective and consistent way. You must be able to respond swiftly and appropriately. You will need to be able to judge whether the Information Commissioner and/or the data subjects need to be informed, and this will be greatly assisted by a good response plan.
- QUICKLY respond to a breach. First determine whether the Information Commissioner needs to be informed. It is a common misconception that under the recent GDPR-driven data protection legislation, every breach needs to be reported to the Information Commissioner. However, if the breach is likely to cause a risk to individuals’ rights and freedoms, then it must be reported. And you need to act quickly – a reportable breach must be reported to the Information Commissioner within 72 hours.
- If you decide a breach is not reportable to the Information Commissioner, keep a record of the decision and the reasons for it. You need to justify the decision not to report to the Information Commissioner, so you should document it in case your decision is subsequently brought into question.
- Determine whether the data subjects who are affected by the breach need to be informed. If there is a high risk to the rights and freedoms of these individuals then they need to be informed without delay. Whether this is the case will depend on the sensitivity of the data, and whether the individual needs to be able to act quickly to prevent further damage (e.g. by changing passwords etc). A breach which is not reportable to the data subjects concerned may well still be reportable to the Information Commissioner.
- Put systems in place to prevent a similar breach occurring and to mitigate the loss from this breach. This may require technical changes to systems and security, and/or refresher training or changes to policies to make sure that staff know how to deal with personal data securely. Was it a problem with systems or human error? React accordingly. Above all, learn from any previous data breaches.
If you have any queries regarding our top tips for Brexit or need help in implementing them do get in touch.
Please feel free to like and share our top tips and check back again tomorrow for our next set of top tips.
Happy Data Privacy Day from the Birketts Data Protection Team.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at January 2021.