Whether it’s a sensitive email sent to the wrong person, a compromised or stolen device, or a loss of availability of personal data, it’s crucial that you know what to do in the event of a data breach. In this article, we’ll cover the essential steps to take if your organisation ever ends up in this situation, so that you can reduce the breach’s impact and put in place preventative actions in the future.
Preventing a data breach
First and foremost, we would definitely recommend ensuring that the appropriate technical and organisational measures are in place at your organisation, for example having appropriate policies and security controls . This way, you reduce the risk of a data breach occurring as much as you possibly can. Read our article on preventing data breaches to find out if you’re doing all that you can.
You can also ensure your organisation complies with data protection law through a data protection and information security audit, a service that the team at DPAS can offer. We will perform a thorough audit of your organisation’s compliance, helping you to identify any weaknesses in your processes and mitigate any risk. Click here to learn more about our data protection and information security audit service.
However, your organisation could have everything entirely shipshape, with totally secure systems and well-trained staff, and a breach can still occur. There’s unfortunately not much you can do to make a data breach impossible, which makes it all the more important to understand your responsibilities should it happen.
Step 1: Determine if the breach needs to be reported
That’s right, not every single personal data breach needs to be reported to the ICO – only if a negative and harmful impact is likely, namely risk to persons’ rights and freedoms. To assess whether a breach should be reported or not, consider the probability of it leading to unwanted consequences such as identity theft, damage to reputation, or financial loss.
The ICO’s website has a handy self-assessment tool that can help you determine if the breach you’ve experienced needs to be reported.
It’s worth noting, however, that if you decide that the data breach does not warrant a report, then you should document this. To comply with the accountability principle, Article 33(5) of the UK GDPR states that you must document the facts regarding the personal data breach, the consequences of it, and any remedial action that’s been taken.
Step 2: Gather the facts
Whether your breach warrants a report or not, it’s time to note the nature of the incident. Write down all the facts about the occurrence as you discover them, as well as any action you have taken so far. This should be done as quickly as possible.
For example, if the breach was an email that ended up in the wrong inbox, then who was the recipient? Was anybody else CC’d or BCC’d in? Whose personal data was involved? Gathering all the relevant information once the breach has been reported is key to taking the correct action, and ensuring that you can demonstrate that you’ve followed the right procedure.
Step 3: Damage control
Your plan of action now should be to see if any of the data is recoverable, or at the very least, if you can prevent any further information from being compromised. By doing everything in your power to contain the breach, you’re minimising the risk to data subjects as much as possible.
If the data was mistakenly sent to the wrong person, see if it can be deleted or sent back. If it was on a device that was stolen, wipe the device remotely. There may not be a way for you to recover any of the personal data, but it’s still important to put a plug in the situation to prevent any more data from being lost.
Step 4: Determine the impact on the subjects involved
Your priority in the event of a data breach should be the wellbeing of the subject/s. Is this personal data breach a mishap that ultimately won’t cause distress or complications? Or will it put data subject/s at risk of harm? If this breach is likely to compromise their safety or wellbeing in any way, then they will need to be notified.
It’s therefore paramount that you identify any potential risk of harm regardless of severity so that the best interests of the data subject/s are properly considered.
Step 5: Reach out to the affected data subjects
If you have identified that the data breach will have any negative impact on the subject/s, it’s your duty to inform them without undue delay that a breach has taken place. If possible, you should offer support and provide advice for how they can best protect themselves and minimise the damage. It’s recommended that you take action such as (depending on the exact nature of the breach) encouraging people to be more vigilant of suspicious account activity or phishing emails, forcing a password reset, and advising them to use strong and unique passwords.
If you believe the breach poses a high risk to people, then you must notify them of the incident by law. However, if this isn’t the case, it’s entirely up to you. If telling people about the breach is likely to cause more concern and damage than the breach itself, then it’s probably best not to, but again, this is completely your decision.
If you do notify individuals about the breach, you must describe clearly and in plain language, at least:
- The name and contact details of a Data Protection Officer (DPO) you have, or another contact point where more information can be obtained
- A description of the likely consequences of the breach
- A description of the measures that have so far been taken – or have been proposed to be taken – to deal with both the breach, and where appropriate, any possible adverse effects.
Step 6: Report the breach
Now that you have the facts and you’ve taken action to protect those affected, it’s time to submit your report to the ICO. It doesn’t matter if you don’t know absolutely everything about the incident yet; just make sure you gather the information you can, and report the breach within 72 hours. Further details can always be given at a later point.
The UK GDPR does specify a set of requirements when it comes to what information you must provide when reporting a breach. These are:
- A description of the nature of the breach, including (where possible) the categories and approximate number of individuals and personal data records concerned.
- The list of requirements above, in step 5.
You can report a data breach to the ICO by filling out a form on their website.
Step 7: Investigate the cause
Once the breach has been reported, those affected have been notified, and action has been taken to contain it, it’s time for the final step. To reduce the likelihood of a breach happening again in the future, it’s key to perform a root cause analysis. By getting to the bottom of how this personal data breach took place, you can take the necessary steps to make your organisation less vulnerable to these incidents in the future.
Was this breach caused by human error? Or was it due to weaknesses in the systems in place? Identify the issue and take action to prevent any repeat incidents.
If the cause was indeed human error, the leading cause of personal data breaches, there are a number of things you can do to prevent another. These include, for example:
- Foster a culture of trust, so that employees feel comfortable reporting any close calls.
- Update your policies and procedures.
- Provide mandatory refresher and induction training in data protection.
- Supervise and support staff in their roles until they’re fully proficient.
- Get into the habit of “check twice, send once”.
It’s all under control
By following these straightforward steps, you can be certain that you’re following the correct procedure when it comes to responsibly handling a data breach. It’s natural to feel worried and caught off guard when an incident like this occurs, but the important thing is to stay calm, go through these steps, and do your duty as a data protection professional.
As long as the breach is reported to the ICO within 72 hours, and steps have been taken to ensure you’re doing the right thing with regards to containing the breach, making those affected aware, and supporting them to keep themselves safe, there’s no need to panic.
How we can help
We provide services to help organisations better manage data incidents and breaches and take the appropriate steps to prevent them. In the event of a data breach, our experienced Consultants will work closely with you, providing support on managing the incident and minimising the impact. that formalised procedures are in place to handle incidents in the future.
Depending on what you need from us, you can either get one-off support at a set fee, or pay a monthly retainer to have us support you whenever you need us (including a 24/7 data breach support hotline).
By outsourcing to DPAS, you can focus on your core business operations, save costs, and rest assured that your organisation’s incident response planning is in safe hands.