The Data Breach

t’s happened, your organisation has had a data breach, is there a plan in plan in place to deal with a breach?

What is a personal data breach?

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

Do you procedures in place to detect, report and investigate a breach?

Mandatory breach notification under GDPR will be new for many. Under GDPR all breaches need to be reported to the ICO within 72 hours of the breach being detected.

What breaches do I need to notify the relevant supervisory authority about?

You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.

When do individuals have to be notified?

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly.

A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.

What you must do:

  • Assess all types of data that you currently hold and document which data falls within the notification requirement in the event of a breach.
  • Organisations need to develop policies and procedures to manage a data breach both at a central and local level.
  • Establish a ‘breach drill’ so that everyone knows what to do and when to do it.
  • What information must a breach notification contain?
  • The nature of the personal data breach including, where possible: the categories and approximate number of individuals concerned; and the categories and approximate number of personal data records concerned.
  • The name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained.
  • A description of the likely consequences of the personal data breach.
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

What should I do to prepare for breach reporting?

  • Ensure that staff understand what constitutes a data breach, and that this is more than a loss of personal data.
  • Ensure that you have an internal breach reporting procedure is in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public.

In light of the tight timescales for reporting a breach - it is important to have robust breach detection, investigation and internal reporting procedures in place.

Organisations need to develop policies and procedures to manage a data breach both at a central and local level.

Establish a ‘breach drill’ so that everyone knows what to do and when to do it.