Kirsty McAuley, Associate in the Corporate and Commercial team at Coodes Solicitors, explains how any organsiations should deal with the unfortunate and inevitable situation of a data breach.
The introduction of GDPR (the General Data Protection Regulations) has made us all more aware of the care we need to take when handling personal data. Most organisations now have much better data storage and processing systems in place as a result of the regulations. However, nothing can prevent things from going wrong. Whether it’s a full blown cyber attack or just human error, it is unfortunately inevitable that any organisation will experience a data breach at some point. That is why all organisations should have plans in place for what to do if a data breach occurs.
If you have not yet put together a protocol for dealing with a data breach, here are the key steps you should follow.
If an employee suspects a data breach has happened, it is vital that they report it immediately. If someone has committed the potential breach themselves, perhaps through simple human error, they may feel nervous about reporting it. It is important to do what you can to ensure individuals feel comfortable about reporting a potential breach.
Look at what you can put in place to make it as easy as possible for an employee to report a data breach. This might include having a simple form for them to fill out, or simply making sure they are aware of who is responsible for data protection so they know who to speak to. It is not compulsory for all organisations to have a data protection officer but it is sensible to have a dedicated person to deal with any data issues. Whether you want staff to report a potential breach to them, or to a line manager, the important thing is that they understand who they should notify if they suspect there has been a breach.
GDPR has given all organisations a duty to report certain types of personal data breaches to the ICO (Information Commissioner’s Office) within 72 hours. Broadly speaking, this is when a breach could result in a risk to people’s rights and freedoms or when the breach involves a large volume of data. If you decide not to report a breach, make sure you can justify your decision to the ICO as you may be asked to do so in future.
In some instances you will also need to notify those individuals whose data is involved in the breach. This is when the breach is deemed likely to pose a high level of risk to the rights and freedoms of the data subjects. If you are in this position, you will need to liaise closely with the ICO on your communication with the individuals concerned. You may also decide to inform them, regardless of your obligations under the regulations, if you think they have a right to know and where you have other duties of care towards the individual.
In some cases, you may feel unable to handle the data breach yourself. Recognise when you need to get help. This could involve getting legal advice, hiring cyber security experts or getting advice from your insurer. Always remember that if you are subject to a cyber attack you should report the incident to the police.
Any data breach should teach you something about how you can better handle your data in future. Perhaps you need to review who has access to certain personal data, arrange staff training or put more security measures in place to avoid data being lost or stolen. It may be something simple such as turning off auto complete when sending emails. Although no one wants a data breach to occur, if it does happen then look at it as an opportunity to tighten up any processes or procedures to avoid something similar occurring in the future.
For any help or advice around the new GDPR, please contact Kirsty McAuley in the Corporate and Commercial team at Coodes Solicitors on 01326 214034 or firstname.lastname@example.org.