Personal data breaches occur even with the best systems and controls in place. However, with the right procedures in place you can confidently identify breaches, act promptly to contain them, and comply with data protection laws. Here are eight key steps to follow.
- Educate staff on personal data breaches
Ensure staff understand what personal data* is and what constitutes a personal data breach** and who to inform if one occurs. Training should cover breach recognition and the contact person for data protection matters.
- Establish breach response plans and processes
Develop a documented breach response procedure detailing:
- responsible individuals for breach management and reporting
- guidance on containing breaches and assessing risks
- statutory reporting timescales
- management processes for containment, risk assessment, and future prevention
- a breach log.
- Act quickly to contain the breach
Immediately take mitigating steps to reduce the risk of further data loss, use, access, or disclosure.
- Assess the risk
Create a risk assessment template to enable swift assessment of risks posed to individuals by the breach. Consider the likelihood of data loss or unauthorised use/disclosure, and the nature, volume, and sensitivity of the data.
- Determine ICO notification requirements
Not all breaches need to be reported to the ICO. Only those likely to risk individuals’ rights and freedoms must be reported within 72 hours.
- Notify affected individuals if necessary
If the breach poses a high risk to individuals’ rights and freedoms, inform them promptly. Provide details of the breach, potential risks, mitigation steps, and advice on self-protection measures.
- Implement preventative improvements
Learn from breaches to prevent recurrence. This may involve upgrading security measures, providing staff training, or updating policies. Address both system issues and human errors.
- Log the breach
Maintain a breach log detailing the facts, effects, and containment actions. Document future preventative measures and whether the breach was reported. If not reported, record the reasons to support your decision.
For further assistance or to discuss other data protection areas please contact the Data Protection Team.
* ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
** ‘A personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Key Contacts
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at July 2024.