It has now been one year since the GDPR came into force, so what better time to give your data breach response procedure a health check.
Regardless of the size of your business or where you are on your compliance journey, these practical tips should answer your fundamental data breach questions.
If you already have cyber security measures and a data breach response plan in place, you can use this guide to ensure that all of the points below are included. If you are yet to implement a plan, the points provide suggestions on what it should cover.
If you identify a data incident, immediately inform all appropriate individuals about it. This could include your data protection officer, head of cyber security, IT department, and where relevant, your HR team.
They should shut down the issue quickly and appropriately. For example, if you have identified that a hacker has broken through your firewall and can access your systems, their access must be blocked. If an email has been misdirected, there is the possibility of recalling the email, though it's good practice to contact the recipient to request that they delete the email and any attachments before confirming this in writing.
Following identification of the breach, you should try to identify the root cause of it. You may need to seek external advice to assist with this, which could include engaging an IT consultant to investigate where a system penetration occurred, or seeking guidance from a lawyer who can assist with damage limitation and progressing the investigation.
We should all be aware of the importance of reporting a data breach to the ICO within 72 hours of discovery. However, the ICO has been inundated with reports of data breaches and has been at pains to confirm that not all incidents need reporting.
A distinction can be drawn between:
The ICO has a handy self-assessment for data breaches on its website that can help with this.
If you do conclude that the incident is a reportable data breach, complete and send the ICO’s “Report a personal data breach” form found at www.ico.org.uk. We recommend you use this form rather than creating your own account of what happened, as the ICO will only want this information initially.
If further information is required, they will contact you. At this point you may wish to seek external legal advice, in order to ensure that your report to the ICO is succinct and includes everything they need to know.
If you conclude that the data incident is not likely to result in a risk to people’s rights and freedoms, you should not just breathe a sigh of relief and forget about it. Treat this as a learning opportunity and assess how well the incident was dealt with. You must document the incident internally and include how and why the incident occurred, and what you did about it.
Should the incident come to light and the ICO investigate it, the first question they will ask is why it was not reported. In this scenario, you should be able to present your internal assessment to the ICO to confirm why it was not reported. Fully documenting an incident will show the ICO that you take cyber security seriously and are willing to learn from previous incidents.
We all like to think the worst won’t happen. However, investing in the right resources and doing the ground work before any incident occurs saves time and ensures that an event can be controlled efficiently.
A strong response plan increases the likelihood of the breach being contained much more quickly and can result in the difference between the event being an incident, and a reportable data breach.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at May 2019. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Following the ICO’s first fine under the GDPR in December since it came into effect, we revisit how the decision confirmed that the presence of a sub-contractor does not absolve a data controller of its responsibilities...