Operations & resources

How to deal with a data breach

Firstly what constitutes a data breach? A breach is any event or action, whether that be accidental or deliberate, which presents a threat to the security, integrity, confidentiality of availability of data. This includes:

  • Loss or theft of a physical record
  • Loss or theft of computer equipment
  • Equipment failure
  • Unauthorised access
  • Loss or theft of a physical record
  • Loss or theft of computer equipment
  • Equipment failure
  • Unauthorised access

That is why it is a good idea to have either a Data Protection Officer, or at least someone within the organization nominated as the data lead who is the go-to person in the event of a breach. Having the right policies in place means that managers and staff know the process to follow if such an event should occur and regular staff training can help mitigate against the most common forms of data breaches.

What information you need to collect

If a data breach is discovered or suspected then you need to act quickly to ascertain:

  • The date and time of the breach
  • The date and time it was discovered
  • What type of personal data was involved
  • The categories of data subject
  • Did it involved sensitive data?
  • How many data subjects does it effect?

The data lead will then need to assess whether the breach is still occurring, if this is the case, appropriate steps need to be taken immediately to minimize the effects of the breach and to stop it. They then need to liaise with the relevant staff to establish the severity of the breach.

Containment of the breach is the next step and where possible take steps to recover or restrict the availability of the data, either by revoking access or temporarily making the data unavailable.

They will then need to determine whether anything further can be done to recover the data and to limit the damage caused by the data.

They then need to determine, in liaison with the relevant staff how best to resolve and remedy the data breach.

Because of the time sensitive nature of reporting any breaches to the ICO you must carry out the initial investigation within 24 hours, during the investigation you will need to review what actually happened, what organisation measures where in place and this will include policies and the people whose job it was to look after the data, assessing what technical measures where in place. You will then need to think about the likely impact on the individuals of the data being compromised, this will also affect who you notify. It is also important to look at the consequences for the organisation. These could be reputational, financial and potentially criminal.

Who to notify

The police may have been contacted if the data breach resulted from a criminal act.

When considering whether (and how) to notify individuals in the event of a personal data breach, you need to consider the following:

  • the likelihood that data subjects’ rights and freedoms as set out in the GDPR will be adversely affected;
  • whether there is a legal or contractual requirement to notify;
  • the benefits to data subjects’ of being notified (e.g. giving them the opportunity to mitigate the risks posed by the data breach);
  • how to make it easy for affected data subjects to contact the Company to find out more about the data breach;
  • further assistance that the Company should provide to the affected data subjects, where appropriate;

When considering whether (and how) to notify the ICO of a data breach, the ICO have a checker that will tell you whether you need to report https://ico.org.uk/for-organisations/report-a-breach/

What information you will need

  • the category or categories and the approximate number of data subjects whose personal data is affected by the data breach;
  • the category or categories and the approximate number of personal data records involved;
  • the name and contact details of the companies data lead from which the ICO can obtain further information about the data breach;
  • a description of the likely consequences of the data breach; and
  • a description of the measures taken (or proposed to be taken) to address the data breach including, where relevant, measures taken to mitigate any possible adverse effects.

Once the data breach has been contained, and all necessary parties notified, the data lead should conduct a complete review of the causes of the data breach, the effectiveness of the measures taken in response, and whether any systems, policies, or procedures can be changed to prevent data breaches from occurring in the future.

Gayle Parker
Latest posts by Gayle Parker (see all)
The Business Bulletin

Don't miss out...

Enter your email address to ensure you receive the next edition of The Business Bulletin as it is published.

Gayle Parker

Gayle’s passion is helping organisations protect themselves, their customers and their data from the ever-evolving threats of the digital world – whether that's through consultancy or practical, hands-on training. When it comes to protecting your data, you’re in safe hands. Gayle has helped lots of organisations successfully prepare and implement programmes for GDPR.

How to deal with a data breach

by Gayle Parker Time to read: 2 min