Personal Data Breach Advice

A personal data breach is defined by the regulator, the Information Commissioners’ Office (ICO), as ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’.

Personal data breaches can be accidental or deliberate. An example of an accidental personal data breach could be something as simple as leaving a laptop in a taxi or entering the wrong name in the recipient field in an email, thereby disclosing personal data. Alternatively, personal data breaches can occur due to malicious acts in the form of hacking, phishing, malware attacks and ransomware attacks.

Our expert Data Protection team offer a range of support services to enable your organisation to manage these situations efficiently and effectively. We can also put policies and procedures in place to help prevent these situations arising in the first instance.

There are various measures you can take to protect your organisation’s personal data such as:

• Conducting thorough due diligence before deploying third-party software
• Ensuring all IT security systems are robust
• Ensuring employee information security training is up-to-date
• Having clear reporting mechanisms

In addition to the above, you can deploy systems such as threat monitoring and Data Loss Prevention (DLP) tools to monitor your systems for personal data breaches. Undertaking regular data protection audit and gap analysis reviewing your compliance levels is also recommended.

We can help prevent personal data breaches from occurring in the first instance by supporting you to carry out due diligence on suppliers and putting robust policies and procedures in place. We can also carry out audits and risk assessments to identify high risk processing activities or compliance gaps. Our expert legal and compliance team can also support you to put in place robust organisational and contractual risk management measures such as data sharing agreements and data processing agreements.

Our experts can ensure your staff have the most up-to-date training on data protection and offer guidance to prevent accidental data breaches.

It is crucial for organisations to have a Personal Data Breach Response Procedure in place so they know what action to take if there is a breach. This is an important document which outlines the:

• Parties involved in responding to the data breach and their respective roles
• Decision-making process
• Principles for decision-making
• Method for analysis and assessing the severity of a breach
• Guidelines on reporting

The document requires input from all stakeholders involved and sign-off from senior management. If there is a personal data breach, this procedure must be followed and each team carry out the role expected of them.

In some personal data breach instances, where there is a high risk to the rights and freedoms of data subjects, those individuals, along with the regulator, will have to be informed.

Once the personal data breach has been assessed and mitigation steps have been taken, each data breach must be logged in a data breach register. It is important that all the stakeholders review the incident for lessons learned and the Data Breach Response Procedure updated where necessary.

Thorntons Data Protection team can help you develop a robust Data Breach Response Procedure. Furthermore, our experts are well placed to assess the severity of each data breach and support any communications including with your customers, the regulator and the media, where necessary.

Once your organisation is aware of a personal data breach, you must then consider whether it is of a kind likely to cause a risk to the rights and freedoms of individuals, as in severe cases the individuals concerned and the regulator, the Information Commissioners’ Office (ICO), must be notified of the breach.

At Thorntons, our specialist Data Protection team can provide guidance on the likelihood and severity of risks of data breaches. This involves consideration of various aspects of the personal data breaches including the type of breach, the nature, severity and volume of personal data affected, the severity of the consequences for the individuals and the special characteristics of the personal data affected.

If the data breach is likely to cause a risk to individuals and it is decided the regulator must be informed, this should be done within 72 hours of you becoming aware of it. If you fail to do this,  you will need to justify the delay. Significant fines of up to £17.5million or 4% of an organisation’s global turnover can be imposed for failing to inform the supervisory authority. This is separate from any fine associated with the actual breach so it is important your procedures support swift reporting.

We can manage communications with data subjects and  the ICO on your behalf. We can file reports and liaise with the ICO throughout the duration of the data breach, allowing you to focus on its resolution.