Your organisation has suffered a personal data breach.
(Dun dun dun duuuuuuuuuuuuuuuuuuuun)
It should come as no surprise to learn that we, the Data Privacy Advisory Service, are very concerned about the long lasting, in some cases severe, side effects that a data breach can bring to your business.
In light of this, we decided to create a one-stop guide which will help you to confidently and efficiently identify, and respond to, anything a data breach could throw your way.
First things first, what is a personal data breach?
A personal data breach, in general terms, is an incident that leads to the confidentiality, integrity, or availability of data being compromised. This could happen by accidental means, or deliberate. For a data breach to be considered under GDPR personal data must be included – so numbers might not count, or anonymised databases for example.
Confidentiality, integrity, and availability could cover many things. Using the CC function on emails, rather than BCC could potentially breach confidentiality, a fire or flood could affect availability, and if a healthcare provider made an entry in the wrong record this could alter the integrity of the data. These events are all analysed by considering risk.
They are more common than you might think, and regularly hit the headlines, take for example (a completely theoretical scenario not at all inspired by events which transpired at Morrisons), a disgruntled employee copied payroll data from company resources, publishing the personal data of 100,000 employees onto a file-sharing website. This would be a significant personal data breach resulting in a loss of confidentiality. The Morrisons case had some more intricate nuances, but similar incidents are not uncommon.
We put together a guide breaking down the process of a root cause analysis, which may help you understand the process further.
Other examples of a data breach include (but are not limited to);
- A hacker gaining unauthorised access to a database or email server etc.
- Sending personal data to an incorrect recipient (whether intentional or not).
- Loss or theft of devices which contain personal data, think phones and laptops.
- Altering personal data without permission.
- Loss of availability of personal data, this could be through cyber-attacks.
Reacting to a data breach: first steps
When an incident occurs, it is important to establish whether personal data is affected. If so, there are some further steps you will need to take. Sometimes this could include notifying the ICO, and/or the data subjects (Articles 33 and 34 if you want some light reading).
Once you are aware of a data breach, the clock starts – there are strict reporting requirements when there is a risk to individuals rights and freedoms. Firstly, “turn off the tap” – can you stop the breach immediately? Do you need to contact IT? There are lots of scenarios at play but taking the necessary steps to stop the breach should be the first point of call. Remember to record the data breach and your actions on a log too, this demonstrates your decision making, keeping you in line with the Accountability principle.
When do we need to report a data breach?
So, you know you have had a data breach, you may have managed to make it stop, now what? Well, if there is a risk to the rights and freedoms of your data subject then you would need to report the breach to the ICO, they have a pretty simple tool available online that will help you decide if it is necessary to report. In more serious cases, when the risk to the individual’s rights and freedoms is high, you may need to inform the data subjects.
When reporting a breach, the UK GDPR, and the ICO’s guidance says you must provide a description of the nature of the personal data breach including, where possible:
- The categories and approximate number of individuals concerned.
- The categories and approximate number of personal data records concerned,
- The name and contact details of the data protection officer (if your organisation has one) or another contact point where more information can be obtained,
- A description of the likely consequences of the personal data breach,
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach,
- Where appropriate, the measures taken to mitigate any possible adverse effects.
It’s worth noting that if you do not have access to all the information required by the ICO, you can provide the details in phases as and when you collect them.
The good news is that you don’t need to report every data breach to the ICO, accidents happen, and if we can ensure that the risk to data subjects is low then all you need to do is log the breach internally, remember breaches can fall under more than one law (GDPR, DPA2018, PECR…).
How do I contact the ICO?
To notify the ICO of a personal data breach, you can either report it directly by phone (0303 123 1113) or by completing an online self-assessment tool which walks you through the information the ICO will require for each report.
If you’re curious about how we can help you to investigate, remediate, or prevent data breaches, get in touch at firstname.lastname@example.org or call us on 0203 3013384. Alternatively, consider enrolling in our course: Data Breach Root Cause Analysis.