What to do if a data breach occurs
What to do if you suffer a data breach
Organisations rely heavily on technology to function efficiently, and the majority of vital personal data is now stored on computer devices. Any business can fall victim to a data breach whether it’s by employee human error or a malicious cyber attack. And with potential huge fines, a damaged reputation and potential loss of business on the line, it’s vital you are prepared and know what to do if a data breach occurs.
What is a personal data breach?
A personal data breach is a breach of security that leads to the destruction, loss, alteration, unauthorised disclosure or access to, personal data. This includes breaches that are both accidental or deliberate.
There will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed, if someone accesses the data or passes it on without proper authorisation, or if the data is made unavailable e.g. if it has been encrypted by ransomware, or accidentally lost or destroyed.
A personal data breach can include;
Access by an unauthorised third party, sending personal information to the wrong recipient, devices containing personal data being lost or stolen, alteration of personal data without permission, loss of availability of personal data and the deliberate or accidental action/inaction by a controller or processor.
What can you do to prepare?
- Make sure you understand the requirements of the GDPR and how your organisation collects, stores and uses personal data. Knowing how data flows through your organisation will help you identify any weak spots.
- Ensure your privacy notice is clear and easy to understand so your customers, partners etc. know what data you collect, why and how it is used.
- Human error is one of the biggest security risks, it’s very easy for example for an employee to accidentally click a link in and email or download a malicious attachment, so it’s vital to make sure all staff are education on cyber security and the GDPR (and have refresher training every so often).
Reporting the data breach
On becoming aware of a breach, you should try to contain it and assess the potential impact for individuals affected, based on how serious or substantial these are, and how likely they are to happen.
Under the GDPR, data breaches must now be documented and reported to the Information Commissioners Office (ICO) within 72 hours of becoming aware of it. If you take longer than this, you must give reasons for the delay. In some circumstances, if it’s very unlikely to result in a risk to people’s rights and freedoms, you don’t HAVE to report it but you will need to be able to justify this decision and still document it.
What information do we need to provide?
According to the ICO, when reporting a breach, the GDPR states you must provide the following information;
- A description of the nature of the personal data breach and where possible include: the categories and approx number of individuals concerned and the categories and approx number of personal data records concerned.
- The name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained.
- A description of the likely consequences of the data breach
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
What if we don’t have all the information yet?
The GDPR does recognise that it’s not always possible to fully investigate a breach and understand what happened within 72 hours. Article 34(4) allows you to provide the information in phases, as long as it is done without undue further delay.
It is expected that controllers prioritise the investigation, give it the adequate resources and expedite it urgently. The ICO must still be notified of the beach within 72 hours, and all information submitted as quickly as possible.
Do we need to tell those affected about the breach & what information should we provide?
Under the GDPR, if a breach is likely to result in a high risk to the rights and freedoms and the individuals affected, you must inform those concerned directly and as soon as possible. If you decide not to notify individuals, you will still need to notify the ICO unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms.
When notifying individuals you must provide the information on the nature of the breach and ensure you use clear and easy to understand language. You must then at least provide;
- The name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;
- A description of the likely consequences of the data breach.
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.
What happens if we fail to notify?
Failing to notify a breach when required to do so can result in a significant fine up to 10 million euros or 2 per cent of your global turnover. It’s also worth noting these fines could be worse if it’s found you aren’t GDPR compliant/didn’t have the appropriate security measures in place.
It’s important to make sure you have a robust breach-reporting process in place to ensure you detect and can notify a breach on time and provide the necessary details.
Never has security been as important as it is today. Data is flowing everywhere, from device to device, to different locations – around the globe. The volume and importance is growing rapidly and making sure that the right people can access your data in the right way, at the right time is critical.
Your information is one area of business where you cannot afford to take any risks. Ask yourself, is your security up to scratch? We’ve been helping organisations protect their operations and intellectual property from increasingly malicious and complex cyber threats for years.
Find out more about our security services here.