The personal data of individuals, sometimes known as data subjects, is important property that requires protection and security. As business owners there is an expectation from your data subjects that you are doing all you can to protect and secure their valuable personal data. However, there are times when data is not protected properly or is compromised despite being protected and in effect a data breach occurs.
Depending on the nature of the data breached, the risks that the data subjects could be exposed to as a result of the breach and the person, people or organisation who have initiated the breach, there is an obligation for the breach to be reported.
This post looks at data breaches, examples of breaches and key considerations to take into account to ensure that if a breach occurs you would be ready to tackle and contain the impact, therefore minimising the damage to the reputation of your business.
What is a data breach?
A personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data. It can occur in a number of ways such as:
- being lost, destroyed, corrupted or disclosed;
- if someone accesses the data or passes it on without authorisation; or
- if access to the data has been restricted for example through ransomware
Scenarios in business where a data breach can take place
- leaving computers unlocked and unattended, allowing access by an unauthorised third party;
- sending personal data and contractual information to the wrong client;
- data being wrongly altered or updated;
- hacked computer systems where data is regularly accessed and removed for malicious purposes
- sending sensitive client files and documentation via unsecure means
High profile data breach examples
Equifax, where the personally identifiable information of 145 million US users and almost 700,000 UK users was compromised.
Verizon’s data on 14 million customers stored in the cloud, and controlled by a third party company, was exposed to anyone who could guess the web address.
Uber was forced to reveal that it deliberately covered up a year-old breach by paying the hackers US$ 100,000 to destroy the data they had stolen. The data of 57 million accounts, which had not been encrypted, was exposed.
Analysis indicated a large number of incidents were caused by third party suppliers failing to secure data properly.
Why it is important to have a data breach policy in place
Having a data breach policy can help soften the blow and minimise legal risk
According to the GDPR, all data breaches should be recorded whether you decide to report to the ICO or not. So a data breach policy will help you identify when and how an incident should be reported to the ICO and when it should just be recorded internally.
It will provide you with the procedures required to contain, manage, investigate and report an incident as well as preventing a similar breach in the future.
A data breach policy will set out key roles and responsibilities. It will also provide details on which stakeholders to communicate with, when to get them involved and how to communicate with them especially if regular methods of communication have been restricted due to the breach.
Key information when reporting a data breach internally and to the ICO
When reporting a data breach you need to include the following:
- What happened
- When it happened
- How many people are affected
- What records are involved
- What the likely impact will be on the people who are affected
- Action taken or planned to make the situation right again
- Name of the data protection officer if you have one or a point of contact.
- If you are reporting to the ICO, it must be done within 72 hours
- If reporting after 72 hrs deadline, you need to explain why there was a delay.
- If you require more than 72 hrs to collect enough information to report, you can report in phases. The nature of the report is dependent on the severity of the breach.
Data breach policy and reporting tools/useful links
We have put some useful resources together to help guide you with ensuring you handle and report a data breach effectively and according to ICO requirements.
Data breach document templates
Templates are a great way of creating your policies, procedures and handbooks. The following are the types of templates you should consider using for your data breach documentation:
- Data Breach Policy
- Data Breach Register
- Data Breach Report form
Visit the Simply-Docs website to view the data breach template samples, if you are interested in purchasing these document templates and more, visit our Simply-Docs discount code page, grab the relevant code and follow the instructions from there.
ICO personal data breach report form
The ICO have a data breach report form template that can be used when reporting to them, click on the link below to access it.
ICO guide on how to report a data breach
The ICO has provided detailed guidance on how to report a data breach, to get up to speed and to find out when and how to report a breach, click on the link below.
ICO webinar on how to report a data breach
On Thursday 19 July the ICO held a data breach reporting webinar to help you understand how to report a data breach, click the link below to view the webinar.