If you experience a data breach, time is of the essence. Firstly, you should consult with your data protection officer to confirm whether there is a reporting obligation. If it is a reportable breach as defined within the UK GDPR, you have 72 hours to inform the appropriate supervisory authority(the Information Commissioner's Office (ICO) in the UK). Our data breach response plan will guide you through the steps to take when you identify a breach.
The most important points to consider are:
- Plan a clear data breach response - it saves time and effort.
- Identify whether it is a personal data breach and whether it is reportable.
- Promptly discuss possible mitigation measures with your data protection officer (DPO).
- Review all the steps outlined in the example process below
- Decide whether you need to notify the ICO.
- Finally, if deemed significant, notify the affected individuals.
In this article:
- Actions to follow in the event of a data breach: sample process
- Step 1: Contact your data protection officer
- Step 2: Review the case
- Step 3: Immediately implement mitigation measures
- Step 4: Notify the ICO
- Step 5: Notify data subjects
- Step 6: Take preventative action for the future
- Conclusion: Handling data breaches with confidence
Actions to take in the event of a data breach: sample process
If you notice or even suspect a data breach, you should act quickly – if you don’t, the consequences for your company may be extensive. Fines and reputational damage are possible outcomes. Therefore, it makes sense to follow a proven process to create your data breach response plan.
Step 1: Contact your data protection officer
The first point of contact in the event of a data breach is your DPO. Provide as much detail about the breach as possible so that he or she can help you assess the damage and identify the next steps.
If your company does not have a DPO, for example, because it is not mandatory for you due to the size of the company or industry, you can get information and guidance from the ICO’s website.
We give a basic overview about a data protection officer in this blog.
Step 2: Review the case
The UK GDPR does not require you to report every breach. Before you decide whether the breach is reportable, you need to review the facts in detail to identify the level of risk to the rights and freedoms of the data subjects. Whilst every data breach will involve a risk, the deciding factor in whether to report it is determined by the level of that risk, for example, low, normal or high. Your data protection officer will help you assess these risks.
Examples of low risks include:
- the loss of a storage medium that contains personal data, but it is encrypted, for example, the storage is password protected. (Here you can find information about backup and data recovery)
- a letter sent incorrectly but returned unopened to your address.
- the loss of an internal company list containing employees' private phone numbers.
Normal to medium risks
Normal to medium risks include, for example, newsletters that have been sent that clearly show all recipients email addresses. Although the group of people here is usually extensive, the disclosure of e-mail addresses may be less sensitive than, for example, the forwarding of bank details.
Personal data, such as medical diagnoses or bank details can have extensive consequences for the data subjects if viewed by third parties. Data breaches in connection with such sensitive information should be classified as "high".
Summary: check what specific data has been lost and how many people are affected by the data breach. The more extensive the loss, sensitive the information and the larger the group of people affected, the higher the risk.
Step 3: Implement mitigation plans
As soon as you understand the situation, you should implement risk mitigation actions as best you can. For example, if you have lost access to data for internal servers, you should change the passwords immediately. If security gaps in the system allow a hacker attack to succeed, you should contact your IT specialist and eliminate the risk.
Another useful tool to have prepared in advance in the event of a data breach is list of actions and information to collect. You can consult this in an emergency to ensure you gather the relevant details to ensure you can make the correct decisions on further preventative measures. Include the relevant people to contact in case of an emergency, for example in IT Security, so that you and your employees can react quickly in case of doubt.
Step 4: Notify the ICO
Where a data breach is deemed to have normal to medium risks or high risks, the ICO must be informed. You have 72 hours from the moment you become aware of the breach to notify the authority. Whilst you might not notify the authority for a low-risk breach, you should still take measures to avoid similar cases in the future.
|Tip: If you cannot respond within 72 hours for compelling reasons, you must include a justification for the delay with your notification. If this is understandable (for example, because you were busy taking countermeasures to mitigate the damage), you will generally not face additional penalties for the failure to report on time.|
A good data breach response plan will include a sample notification to the supervisory authority. In it, you should be able to enter what exactly has happened, how many people are likely to be affected, what measures will be taken and what the possible consequences are. You should also include the contact details for your DPO.
Step 5: Notification of data subjects
Data subjects must be informed if you have identified that there is a high risk of impact to the individual freedom or personal rights of those people affected. This could be, for example, the unauthorized disclosure of bank details or health data.
Data subjects do not usually have to be notified if, for example, you have lost data on encrypted storage media that is not accessible to third parties. The obligation to notify data subjects may also not apply if you have prevented high risks to the rights and freedoms of individuals by implementing risk prevention measures during the breach.
Step 6: Future considerations
You may see alarm bells that indicate unauthorised persons are trying to access internal systems, re-evaluate the risk likelihood criteria and update the mitigation controls to further prevent this from becoming a reality.
Identify potential data mishaps and review how you can prevent these. For example, is storage media or the data saved on it encrypted? If not, you should consider implementing such precautions.
Do your employees know how to report an actual or suspected data leak? If there is no DPO, your company should at least have a central point of contact for security and data protection issues. This person will help you review ongoing data protection measures and implement the breach action plan when required.
Conclusion: Mastering data breaches with confidence
When a data breach is suspected or discovered, you must act quickly. We have created a template that includes actions to follow in the event of breach. You also have access to a qualified data protection officer who is available to advise you throughout the process. Together with the DPO, you can take preventative measures to avoid data breaches in the future and maintain your company’s reputation. Active communication of your data protection measures to your customers and partners demonstrates that your company is professional and trustworthy.
You have further questions regarding DPO, or you're already looking for an external solution? Our experts will be happy to answer any question. Feel free to reach out for a free consultation!