Has your organisation experienced a personal data breach?
This article will provide an overview of the steps to take when experiencing a personal data breach. However, for more in depth guidance on data breaches, please contact a member of our Data Protection team.
What is a personal data breach?
A personal data breach under the UK GDPR is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.” In simple terms, a data breach is a security incident in which unauthorised parties gain access to sensitive data or confidential information.
Sensitive data or confidential information such as personal data, is information that relates to an identified or identifiable living individual. For example, this could be person’s name, date of birth, email address, phone number, their physical characteristics.
How do I respond to a personal data breach?
The ICO sets out clear guidance on what to do following a data breach. These steps are summarised below:
- Keep calm and do not panic.
Not all breaches will result in formal action and the main aim of the ICO is to offer guidance to prevent future breaches.
- Start the timer
If a personal data breach passes the reporting threshold, you are required by law to notify the ICO within 72 hours, and without undue delay. It is important to keep a clear record and log to document the events, the people involved, and your actions, even in circumstances where you may not need to report anything.
- Find out what has happened
Gather all the information as soon as you can, and ensure that you document it in your log as you learn more about the situation.
- Attempt to contain the breach
Once you have figured out what happened and what personal data has been affected, you can work out if you can fix the problem. You may be able to retrieve and fully restore the data as soon as possible, or, in the event the breach resulted in an unauthorised individual receiving personal data that they were not entitled to, you could consider requesting the recipient destroy the data or safely return it.
- Assess the risk of harm
Determine the level of potential harm or detriment that could have or has been caused to people. This could be as severe as identify theft or could be as minor as sending the wrong customer an incorrect appointment reminder.
- Act to protect those who have been affected
Provide clear and detailed guidance on how those people can protect themselves going forward. Ultimately, this will depend on the situation and severity of the breach. However, it may include giving them information on how to protect their identity from identity theft, warning them about phishing emails, and advising them to update their password to something stronger.
- Submit your report (if necessary)
Once you believe you have done everything you can, and if the breach is reportable (discussed further below), you should submit your report to the ICO. In that report, you should be prepared to provide intricate details on each of the previous steps mentioned above, including:
- what the breach was,
- how it happened,
- your risk assessment; and
- damage control after the breach.
Do I have to notify the ICO?
You may be required to submit a notification to the ICO. If so, you must notify the ICO without undue delay and within 72 hours of becoming aware of the breach. A notification is triggered when a breach is likely to result in a risk to an individuals’ rights and freedoms. The obligation to make a report to the ICO falls on data controller and will need to be assessed on a case by case basis. You should think about whether, if the breach is left unaddressed, is it likely to have a significant detriment on individuals.
If you chose not to report, you should make sure you record any decisions you make and keep any relevant information in order to support your decision that there is no risk to the rights and freedoms of individuals.
Do I have to notify our customers?
The requirement to communicate a data breach to individuals is triggered where a breach is likely to result in a high risk to their rights and freedoms; as with the ICO notification, it will be the data controller’s responsibility to inform any affected individuals.
Whether to notify the individuals will depend on the circumstances of the breach. However, a higher threshold needs to be met than that required for notifying the ICO. For assistance on this, please contact a member of our Data Protection team.
Record Keeping
Any breaches of personal data that have occurred at the company should be documented. These should be kept in a data breach log and record:
- the nature of the breach,
- the consequences of the breach, and
- the remedial action taken at the time.
The ICO suggests a template log which can be found on its website here.
We know that dealing with personal data breaches is complex and we can assist you with navigating a data controller’s responsibilities and obligations in these circumstances. To find out more, please join us for our upcoming webinar on 30 April 2024 at [11:00am- 11:30am] on How do I protect my business in the event of a personal data breach? where we will be discussing in more detail the steps to follow when a breach occurs, as well as what happens if you fail to notify the ICO or your customers, and how you can prevent data breaches from occurring in the future.
For any other questions on personal data breaches, please feel free to contact a member of Clarkslegal's Data Protection team here.