If you notice a data breach or think that one has occurred, it is easy to panic. This article aims to help you understand the steps that should be taken as well as assist you to put a plan in place, so you know exactly what to do before a breach occurs and are in the best position to deal with a breach should one occur.
What is a personal data breach?
A breach is more than just losing data, a personal data breach can be defined as a ‘breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’
When we store or hold data, we should follow best practise to ensure its security this is put simply using the CIA Triad, Confidentiality, Integrity, and Availability. This means that any data should remain accurate and consistent, be accessible should a data subject ask to see the data you hold, as well as ensuring accuracy for the purpose of processing the data, the data should remain confidential and for the sole purpose to which it has been obtained. If you would like to read more about how we should protect a person’s data, we have a dedicated article focused on GDPR compliance.
Following a potential breach there are five simple steps that should be taken
- Find out what has happened: this includes the information that has been revealed, changed, or lost, obtained, how the information was accessed, the number of people involved, etc. You should create a timeline of what has happened so far.
- Attempt to contain the breach: the priority is to establish what has happened. If you can recover the data, do so. If you cannot, what steps can you take to reduce the risk of the data being exploited.
- Assess the risk: ask yourself what the potential risk or harm to those affected could be.
- Inform the people involved: give specific and clear advice on what has happened and the next steps they should take to protect themselves, you should only do this if you believe there is a high risk to those involved.
- Report to the ICO: if the risk is high, a data breach must be reported to the ICO. If you feel your breach reaches this threshold, then this should be your fifth and final step.
Note that the GDPR allows you only 72 hours from identifying the breach to inform the ICO. The criteria for a reportable breach are summarised below.
What determines a reportable breach?
To determine if a breach is reportable to the ICO you first need to establish the likelihood of risk to individuals’ rights and freedoms. If a risk is deemed likely then you must inform the ICO: if the risk is low then you do not have to report it.
Risk to an individual’s rights and freedoms can be defined as anything that could lead to physical, material, or non-material damage this includes but is not limited to, discrimination, monetary loss, identity theft or fraud.
If you fail to notify the ICO of a breach when you are required to do so, this can result in a fine of up to £17.5 million or 4% of your global turnover. The fine can also be combined with the ICO’s other corrective powers under Article 58 of GDPR.
If you decide you do not need to report the breach, you need to be able to justify the decision: you should keep a document detailing why you decided not to report the breach. The most common reason for not reporting a breach is that the risk of harm or damage to a data subject is low.
If you are unsure on whether your breach meets the criteria to report to the ICO there is a self-assessment tool on their website that you can complete.
How do you report a breach?
There are two main ways you can report a breach to the ICO:
- Call their helpline on 0303 123 1113
This helpline is open between 9am and 5pm Monday to Friday. Outside of these house you can report the breach online.
You can do this through the ICO Website where you can complete an online form
What information will you need to provide?
If you report a breach via the phone, you will be asked:
- What has happened
- When and how you found out about the breach
- The people that have or may have been affected by the breach
- What you are doing because of the breach
- Who the ICO should contact if we need more information and who else have been informed.
You should ensure the information you provide to the ICO is accurate, you should also supply them with as much detail as possible. A copy of the information you have provided will be sent to you.
Ensuring you document and keep documentation of our earlier steps to manage a data breach will make this process more streamline for you.
How can CyberCrowd help?
Do you have an incident response plan in place, or have you carried out table-top exercises that will help walk you through the events of a breach and strengthen any plans you have in place?
At CyberCrowd we offer both incident response and table-top exercises as part of our service portfolio along with DPO and CISO as a service helping you to mitigate breaches and ensure the policies you do have in place align to the Data Protection Act, we are always happy to help customers looking to improve their security posture.
Our experts work with you to ensure that no stone is left unturned putting you in the best position should a breach occur. If you would like to learn more about our service offerings and how they align to your business’s requirements, please contact us.