The first instalment of our series defined what a data breach is and outlined how to report one, should it occur (if you need a refresh, we advise you go back to our first blog post, it’s an enthralling combination of compelling puns and data protection regulations, if we do say so ourselves!).
Now that you’re all caught up, you may remember that only high-risk data breaches are required to be reported to the ICO or data subjects themselves. Often, an internal root cause analysis will be sufficient.
So, how is it done?
Step 1 – Establish which data has been compromised, and the potential impacts data subjects might face as a result.
It’s important to be thorough in this assessment – considering all reasonably-foreseeable possibilities at the point of the breach but also in the future.
Personal data is any information which relates to an identified/identifiable natural person. Examples include phone numbers, credit card details, personnel numbers, account data, number plates, appearance, addresses etc..
Special category data
Special category data alludes to any personal data, sensitive enough that it requires additional protection. This data may reveal an individual’s: race, political persuasion, sexual orientation, religious or philosophical beliefs, existence of trade union membership, genetic data or biometric data (that’s body measurements to you and me!).
A breach of special category data increases the risk of a data breach as the utilisation and exploitation of this data could wreak significant hassle on the data subject’s fundamental rights and freedoms.
Whilst personal data relating to criminal allegations, proceedings or convictions are not specifically listed as special category data, there are existing protocols and safeguards in place for processing this data which address the particular risks a data breach of this nature would incur.
Step 2 – Consider proportion
Size, in this case, does matter. A company with 50 employees and a company with 50,000 employees will be disproportionately affected by a data breach of 30 employees – the former case would be considered a high risk data breach, whereas the latter could be low risk, subject to the specific circumstances of the breach.
Identifying the risk score of the data breach is vital as it allows us to act proportionally and swiftly when an issue arises.
Step 3 – Conducting a root cause analysis
Conducting a root cause analysis refers, funnily enough, to the process of tracing a data breach back to its roots, in order to identify the appropriate resolution. This process also allows for identification of some of the common causes of data breaches and trends within your own organisation. In this sense it serves a preventative function, minimising the risk of future breaches,
Before we move any further, ask yourself the following question: does my organisation have an established system in place to report and investigate data breaches?
If not, you must create a data breach report template which is both understood and accessible to your whole team. If you require any assistance in the creation of such a report, incidentally, you might want to contact us. Drop us a message at email@example.com. We can help.
The next steps are as follows:
- Define issue (as previously mentioned)
- Collect data relating to the problem – A comprehensive (and therefore successful) analysis will include a discussion with the individual(s) who caused or were otherwise involved in the the data breach occurring, as well as the individual(s) who identified it.
- Identify causes of the issue – Some helpful questions to ask are; Is this a recurring issue? How recently/frequently has this occurred? Can we pinpoint what led to this breach i.e. human error (high workload, time pressure, insufficient training), systematic error, social engineering etc…
- Prioritise the causes – Categorise each cause, without attempting to solve them (yet). The recommended categories are people, process, technology, environmental, financial… the list goes on. While prioritising, consider the impact that each cause had on the data breach.
- Identify solutions and implement sustained change – This is the stage where we consider mitigating actions which will reduce the possibility of a similar data breach occurring in the future. Some helpful questions to ask here are; Who will be responsible for implementing mitigating actions? What will the time frame for implementation be? Who will monitor the implementation of remedial actions? How can we make sure our process for identifying data breaches is not merely reactive, but preemptive? How can we adopt a culture of preventing data breaches in our organisation?
If you require additional support with a data breach you can contact us at firstname.lastname@example.org or by calling our office at 0203 301 3384. Alternatively, consider enrolling in our course: Data Breach Root Cause Analysis.
You can see a case study of a previous root cause analysis with one of our clients here to read about how we helped them.