Personal data breaches happen, even with the best systems and controls in place. Simple human error is the cause of a significant proportion of the breaches reported to the ICO.
The prospect of personal data breaches can keep you up at night but with the appropriate procedures in place you can be confident that you can identify breaches, act promptly to contain them as far as possible and do all that you need to do to comply with data protection law. We have identified eight key steps for you to follow.
1. Make sure staff know what a personal data breach is and who to inform if one happens
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Make sure staff are properly trained to recognise when a breach has occurred and that they know who to contact if this happens. Even if you do not need a formally appointed data protection officer, there should be a senior member of staff who manages data protection matters and the identity of this person must be clear to everyone within the business.
2. Have plans and processes in place to address breaches in an effective and consistent way
You must be able to respond swiftly and appropriately. We recommend that you have a documented breach response procedure in place which sets out:
- who is responsible for breach management;
- who should be contacted in the event of the breach (and their contact details and those of any deputy);
- guidance on how to contain the breach and assess risk, available on the Information Commissioner’s Office (ICO) website;
- the statutory timescales for making any reports (see below);
- a management process for containing the breach, assessing risk and implementing future preventative measures; and
- a template breach log.
3. Act quickly to contain the breach
Your priority when a breach happens should be to establish whether and how you can “turn off the tap” to prevent further loss of, use of, access to or disclosure of the affected data.
For example, do you have backups available if your systems are hacked and encrypted, or can you recall an email sent to the incorrect recipient or obtain their confirmation that they have permanently deleted or destroyed any data they have received?
4. Assess the risk
To assess the risk to the individuals the data relates to, you must balance the likelihood of the data being irretrievably lost or used or disclosed by an unauthorised third party with the nature, volume and sensitivity of the data in question.
The containment action you take upon becoming aware of the breach will influence your opinion on likelihood.
The ICO website contains examples of breaches and associated risk assessment which you might find useful.
5. Determine whether the ICO needs to be informed
It is a common misconception since GDPR came into force that every breach needs to be reported to the ICO. In fact, only breaches which are likely to cause a risk to the rights and freedoms of the people whose personal data has been affected need to be reported.
If a breach meets the reporting threshold the ICO must be informed within 72 hours of your becoming aware of the breach. You can make the report by calling the ICO helpline on 0303 123 1113, emailing [email protected], or completing the interactive form on the ICO website.
The ICO casework team will review your breach report and either consider the matter closed or ask follow-up questions. These usually focus on whether the breach is contained, whether any further detriment to individuals has been identified and what you have done to prevent the breach from reoccurring.
The ICO’s principal concern is that individuals suffer as little detriment as possible from data breaches. Engaging with them about a breach is not to be feared.
6. Notify affected individuals if required
If the breach is likely to cause a high risk to the rights and freedoms of those who have been affected, and you are unable to prevent these risks from happening, you must let them know about it without delay.
You must tell them about the breach, any risks which you envisage and any steps you have taken to mitigate these risks. You should also advise them how they might protect themselves against these risks. For example, if financial information has been disclosed which could enable someone to commit identity fraud, you must at least advise the affected individuals to monitor their back accounts and credit report for suspicious activity.
7. Identify and implement improvements to prevent the breach reoccurring
This could be upgraded firewalls and antivirus software, refresher training for staff, or an update to your data protection and information security policies depending on the nature of the breach. Was it a problem with systems or human error? React accordingly and, above all, learn from any previous data breaches.
8. Log the breach
It is a formal requirement of UK data protection law that data controllers keep a log of personal data breaches. This log must include information about the facts and effects of the breach as well as the action taken to contain it.
We suggest that you also include information about future preventative measures and whether the breach was reported. If you did not consider that the breach should be reported, you should also document your reasons in your breach log to support your case if your decision comes into question.
If you have any questions about the measures in this article, or would like to discuss other data protection areas, please get in touch with our Data Protection Team.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at January 2024.