Data breaches (which may or may not involve personal data) come in all
shapes and sizes. A breach may, for example, involve the loss or theft of
data, the unauthorised access to, use of, or modification of data, or
something apparently less direct such as equipment damage, human error, or
the loss or theft of equipment – the business laptop being left on a train
being a classic example.
Initial steps to be taken upon the discovery of a breach should include
containing the breach itself, determining the full particulars of it,
working out what needs to be done to resolve and remedy the situation, and
establishing who needs to be told about it straight away (the police, for
example, or your insurance provider).
A full investigation and assessment of the breach should go into more
detail, determining who will be affected by the breach and to what degree,
how much data is involved, how many data subjects will be affected, the
consequences of the breach and more.
This must all be done quickly as some personal data breaches must be
notified to the Information Commissioner’s Office and to the individual
data subjects whose data is involved in the breach. The ICO should be
informed within 72 hours of you becoming aware of the breach, where
feasible. Individuals should be informed “without undue delay”.
Notification will not always be required, but all the facts must be
carefully considered in order to determine this. When in doubt, notify, or
at least ask the ICO what to do. Failure to notify when you are supposed to
can result in substantial fines under the GDPR.
New Data Breach Report Form
Discovery is where it all begins. Our new Data Breach Report Form has been
designed to enable staff members to easily report suspected or actual data
breaches so that they can be handled and investigated by the appropriate
person or department (e.g. your Data Protection Officer if you have one).
New Data Breach Policy
Our new Data Breach Policy template is where the magic happens. This
document sets out the key steps to follow when handling a data breach
(whether it involves personal data or otherwise). The Policy starts with
the initial internal reporting requirements and details each stage all the
way through initial containment to investigation, notification, and the
evaluation and implementation of future preventative measures.
New Data Breach Register
A key principle of the GDPR is the “accountability principle”. In simple
terms, this can be summed up as “document everything!”. Not only must you
have the appropriate measures, procedures, systems etc. in place to comply
with the GDPR, but – and this is especially important when, despite your
best efforts, something goes wrong – you must also be able to demonstrate
that you have them and that you aren’t neglecting your responsibilities.
In the case of data breaches, all aspects should be recorded – regardless
of whether you need to notify the ICO or data subjects (indeed, if you
determine that notification is not required, documenting your reasoning for
this could be helpful if problems emerge down the line). Our new Data
Breach Register is designed to be used alongside the Data Breach Policy and
enables you to record key information not only about the breach itself, but
also about your response to it.
In an ideal world, there would be no data breaches, but with the best will
in the world, accidents can happen, and it’s always worth remembering that
however good your cybersecurity might be, those attempting to break it are
just as clever as those that designed it. Having procedures in place to
handle a data breach if and when it happens can save vital time and protect
not only the data itself, but also those to whom it relates and, by
extension, your commercial interests and your reputation. Most importantly,
it can help you stay on the right side of the law and avoid those pesky
fines that virtually every article about the GDPR likes to wrap up with!
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific