You’re faced with a data breach. What should you do?
There are a number of steps which organisations need to take when a data breach takes place to protect its data subjects and the organisation.
What is a data breach? – A personal data breach under GDPR (sometimes referred to as a “data breach”) is an incident where personal data is accidentally or unlawfully lost, altered, destroyed or accessed or disclosed without authorisation. For example, a file of papers with customer address details is left on a train, an email is sent to the wrong address, data is maliciously altered by an employee or your organisation falls victim to a cyber-attack.
Fact finding and investigation – It is essential to quickly assemble the factual background to the breach, asking questions such as what happened? When did it happen? How did it happen? What data was involved, what individuals are affected and what are the likely consequences of the breach? This needs to happen quickly as the timeline for notification of data breaches is short. You should engage with your DPO or head of data protection (as applicable) at this stage to ensure they are fully aware of the situation. You will also need to consider how you will handle any press interest in the breach.
Notifying relevant regulators and individuals – Once you have established that a breach has taken place, you will need to act quickly. You must notify relevant regulators if a data breach takes place which is likely to cause a risk to the data subjects’ rights and freedoms. This must be done within 72 hours of becoming aware of the breach. You will also need to notify the data breach to any affected individuals without undue delay if the data breach is likely to result in a high risk to the rights and freedoms of the individuals. Whatever you decide in terms of notification, it is essential to record your decision so that you can evidence your reasoning should a regulator question it. It might also be necessary to notify other third parties, e.g. the police or other regulators (FCA, SRA etc.)
Mitigation – You need to consider what steps can be taken to mitigate the impact of the data breach. The action you will need to take will depend on the nature of the breach. It may be necessary to contact individuals to advise them what steps they can take to reduce the impact of the breach e.g. changing their password. If an email has been sent to the wrong address, it may be possible to recall the email or get assurance from the recipient that they have deleted it and will not make any use of the personal data received.
Review and reflect– You should consider whether any changes need to be made to your processes and procedures to ensure similar data breaches do not take place in the future. For example, if you have suffered a cyber-attack you will need to review your information security procedures or in the case of the file left on a train, you may need to revisit your policies in relation to home working and what information can be taken home.
Training – You should consider whether staff need any additional training following a data breach to reduce the risk of future breaches. This could be training for an individual employee, a specific department or for the whole business. Raising awareness of the risks your organisation faces can help prevent future issues.
There is a lot to think about when faced with a data breach. Having an established procedure in place that works for your organisation can be the difference between an unfortunate event which is resolved efficiently and effectively and a bad situation made worse by a failure to properly deal with it. If you need help to ensure you are ready to face data breaches, please get in touch and we will be happy to assist.
