Earlier this year, Birketts celebrated the 15th international Data Privacy Day. We produced a series of top tips for data protection to provide easy to understand and memorable tips focussing on key issues we know our clients deal with on a daily basis.
One of the most stressful issues our clients have to deal with is managing data breaches.
Whilst there are a number of things that can be implemented to avoid data breaches, sometimes they are unavoidable. It is important that you know what to do in the event of a breach and how to deal with this in the short term.
1. Make sure your staff are aware of what constitutes a personal data breach and who they must inform within the business if they become aware of a breach.
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Make sure staff are properly trained to recognise when a breach has occurred and that they know which member of staff they need to contact if this happens. Even if the company does not have a formally appointed Data Protection Officer, there should be a senior member of staff who manages data protection matters, and the identity of this person should be clear to everyone within the business.
2. Ensure you have plans, processes and policies in place to address breaches effectively and consistently.
You must be able to respond swiftly and appropriately to a data breach. You will need to be able to judge whether the Information Commissioner and/or the data subjects (who the data relates to) need to be informed. This will be greatly assisted by a good response plan.
3. Respond to a breach quickly – does the Information Commissioner need to be informed?
It is a common misconception that under the recent GDPR legislation, every breach needs to be reported to the Information Commissioner. However, if the breach if likely to cause a risk to individuals’ rights and freedoms, then it must be reported. You must act quickly – a reportable breach must be notified to the Information Commissioner within 72 hours.
If you decide a breach is not reportable, then keep a record of the decision and the reasons for making it. You need to justify the decision not to report it to the Information Commissioner so you should document it in the event your decision is subsequently brought into question.
You also need to consider whether the data subjects affected by the breach need to be informed. If there is a high risk to the rights and freedoms of these individuals, then they need to be informed without delay. Whether this is the case will depend on the sensitivity of the data involved, and whether the individual needs to be able to act quickly to prevent further damage (e.g. by changing passwords). A breach which is not reportable to the data subjects concerned may still be reportable to the Information Commissioner.
4. Put systems in place to prevent a similar breach occurring and to mitigate the loss from this breach.
This may require technical changes to systems and security, and refresher training or changes to policies to make sure that staff know how to deal with personal data securely. Was it a problem with systems or human error? You need to be able to react accordingly and, above all, learn from any previous data breaches that have occurred.
The full top tips series is available on our website, and covers other topics such as the impact of Brexit (and ongoing changes), employment considerations, contracts, accountability and the Public Sector.
Established in October 2017, IPEC is a specialist Court within the High Court which hears cases on all forms of intellectual property rights (IPR). It has its own set of rules and procedures.
This articles is from the May 2021 issue of Upload, our newsletter for professionals with an interest in technology. To download the latest issue, please visit the newsletter section of our website. For further information please contact Mark Gipson or another member of Birketts’ Data Team.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at May 2021.