If you are an organisation processing personal data, a data breach can be very serious, putting people’s information at risk and potentially causing those concerned loss and distress. It also puts your organisation at risk of substantial data protection fines and reputational damage.
Under data protection legislation, your organisation has an obligation to keep personal data safe with strong breach detection, investigation and reporting procedures in place. Our Data Protection team, comprising compliance and legal experts, can help you develop robust in-house data protection procedures and safeguards and are on hand to help if there is a data breach with 24/7 crisis response. We can help you to resolve the issue as soon as possible, protect your staff and customers, meet your reporting obligations and maintain your organisational reputation.
Frequently asked questions
Here we look at what counts as a personal data breach, how to minimise the risk of a breach and what to do if your personal data has been compromised.
What is a personal data breach?
A personal data breach is defined by the regulator, the Information Commissioners’ Office (ICO), as ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’.
Personal data breaches can be accidental or deliberate. An example of an accidental personal data breach could be something as simple as leaving a laptop in a taxi or entering the wrong name in the recipient field in an email, thereby disclosing personal data. Alternatively, personal data breaches can occur due to malicious acts in the form of hacking, phishing, malware attacks and ransomware attacks.
Our expert Data Protection team offer a range of support services to enable your organisation to manage these situations efficiently and effectively. We can also put policies and procedures in place to help prevent these situations arising in the first instance.
How can you reduce the risk of breaches?
There are various measures you can take to protect your organisation’s personal data such as:
- Conducting thorough due diligence before deploying third-party software
- Ensuring all IT security systems are robust
- Ensuring employee information security training is up-to-date
- Having clear reporting mechanisms
In addition to the above, you can deploy systems such as threat monitoring and Data Loss Prevention (DLP) tools to monitor your systems for personal data breaches. Undertaking regular data protection audit and gap analysis reviewing your compliance levels is also recommended.
We can help prevent personal data breaches from occurring in the first instance by supporting you to carry out due diligence on suppliers and putting robust policies and procedures in place. We can also carry out audits and risk assessments to identify high risk processing activities or compliance gaps. Our expert legal and compliance team can also support you to put in place robust organisational and contractual risk management measures such as data sharing agreements and data processing agreements.
Our experts can ensure your staff have the most up-to-date training on data protection and offer guidance to prevent accidental data breaches.
What action should you take if there is a breach?
It is crucial for organisations to have a Personal Data Breach Response Procedure in place so they know what action to take if there is a breach. This is an important document which outlines the:
- Parties involved in responding to the data breach and their respective roles
- Decision-making process
- Principles for decision-making
- Method for analysis and assessing the severity of a breach
- Guidelines on reporting
The document requires input from all stakeholders involved and sign-off from senior management. If there is a personal data breach, this procedure must be followed and each team carry out the role expected of them.
In some personal data breach instances, where there is a high risk to the rights and freedoms of data subjects, those individuals, along with the regulator, will have to be informed.
Once the personal data breach has been assessed and mitigation steps have been taken, each data breach must be logged in a data breach register. It is important that all the stakeholders review the incident for lessons learned and the Data Breach Response Procedure updated where necessary.
Thorntons Data Protection team can help you develop a robust Data Breach Response Procedure. Furthermore, our experts are well placed to assess the severity of each data breach and support any communications including with your customers, the regulator and the media, where necessary.
When must you inform your customers and the ICO?
Once your organisation is aware of a personal data breach, you must then consider whether it is of a kind likely to cause a risk to the rights and freedoms of individuals, as in severe cases the individuals concerned and the regulator, the Information Commissioners’ Office (ICO), must be notified of the breach.
At Thorntons, our specialist Data Protection team can provide guidance on the likelihood and severity of risks of data breaches. This involves consideration of various aspects of the personal data breaches including the type of breach, the nature, severity and volume of personal data affected, the severity of the consequences for the individuals and the special characteristics of the personal data affected.
If the data breach is likely to cause a risk to individuals and it is decided the regulator must be informed, this should be done within 72 hours of you becoming aware of it. If you fail to do this, you will need to justify the delay. Significant fines of up to £17.5million or 4% of an organisation’s global turnover can be imposed for failing to inform the supervisory authority. This is separate from any fine associated with the actual breach so it is important your procedures support swift reporting.
We can manage communications with data subjects and the ICO on your behalf. We can file reports and liaise with the ICO throughout the duration of the data breach, allowing you to focus on its resolution.
How can Thorntons help?
Our Data Protection team have extensive experience in putting in place response plans to ensure any personal data breach is dealt with in a fast and effective manner. We can help you create your Personal Data Breach Response Procedure, provide pragmatic and strategic guidance on organisational and technological workarounds to stem a data breaches, notify any breach to the ICO and the individuals concerned if needed and, where appropriate, advise when you should get other professionals involved, for example your PR company. This will help minimise harm not only to the individual concerned, but also to your organisational reputation.
Please call our specialist Data Protection team on 03330 430350 for more information on how we can help with data breach issues. Or complete our online enquiry form and an expert in our Data Protection team will call you back.
Our Services
Our specialist Data Protection lawyers are on hand with clear advice and help for you on all aspects of GDPR.