When a potential data breach is discovered the first response can be to panic. On their website the ICO are at pains to say that there is no need for concern. Their main aim is to provide advice to help the organisations avoid similar incidents in the future. The ICO is there to help you understand what has happened and to prevent it happening again. The headlines about fines and formal action cover only a very small amount of their work.
The ICO and certified data protection practitioners like CSRB suggest a seven step strategy for managing a data breach.
- What has happened? – Establish the facts with your data protection officer (DPO) and other key team members, and start an incident log. The ICO suggest you should “write down facts about the incident as you uncover them”. This could be things like “what happened and why, how many people were involved, a timeline of when it all happened, and what actions you’ve taken so far”. Was this a deliberate act or an accident? You also need to understand if an actual breach has taken place or if a vulnerability in your systems has been exposed.
- Is personal data involved? – If it is, then take steps to reduce the impact of the breach. Wiping a stolen laptop is fine, but you should take care not to delete any evidence that may be needed later. It may be that changing system passwords or locating a missing device resolves the incident.
- What is the size of the problem? – What potential harm or detriment it may cause to people. Are there safeguarding issues? Is there the possibility of identity theft or will it cause significant distress. As the ICO website says: “You might be dealing with a simple mix-up where there’s little or no risk involved, or a serious breach that will have a lasting effect on people’s lives”.
- Protect those affected – Advising anyone whose data may have been released is important. This is where a clear plan prepared in advance will pay dividends, by having suitable messaging in place as templates to avoid having to write something in the midst of a crisis. If you think there’s a high risk to individuals, then by law you have to tell them without undue delay.
- Record keeping – This is essential in the event of the need to report the incident. You will need to provide the ICO with details such as what happened and when, your risk assessment, and what you’ve done to contain the breach.
- Do you need to report the breach? – The ICO website has a very useful self-assessment tool to help you decide if you need to report the breach. If you do, then it needs to be done within 72 hours. You can follow up with more information but it’s important to make the initial call within the required time.
- Post-incident review – Useful learnings can be taken even from minor incidents. Using the review to document and share your findings will reduce the risk of a repeat incident as additional measures can be added or procedural changes made.
Using this seven step process you should find that any data breach, small or large is understood, contained and resolved without delay or impacting the organisation significantly. Reputations can be enhanced by the correct response to a data incident, and harmed by a failure to act promptly and decisively.
This is where CSRB’s certified personal data breach response package for organisations of all sizes becomes an effective way to manage your legal and moral responsibilities. By focusing on education, training for your team and through creating a personal data breach response plan we help you minimise the risk of a data breach. Contact us today on 0117 325 0830 or info@csrb.co.uk for a free 30 minute online personal data breach advice session.