A comprehensive guide to data breaches (including a lawyer-drafted data breach policy template)

What is a personal data breach?

Data protection laws define a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. This is a wide definition that means personal data does not have to be lost for it to constitute a data breach - someone accessing personal data on an unauthorised basis would also amount to a data breach.

The definition of “Personal data” is also wide and is defined in the UK GDPR as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

A personal data breach could include, for example:

• access by an unauthorised third party;

• deliberate or accidental action (or inaction) by a controller or processor;

• sending personal data to an incorrect recipient;

• computing devices containing personal data being lost or stolen;

• alteration of personal data without permission; and

• loss of availability of personal data.

What is a data breach policy?

A data breach policy is an internal policy for staff to revert to if they suspect or become aware of a personal data breach. It tells staff how to identify a data breach, how to mitigate a data breach and the action that needs to be taken where a data breach occurs. A data breach policy serves as a proactive measure to establish clear guidelines and procedures to protect your business’s personal data and maintain the trust of stakeholders.

How can a data breach policy benefit my business?

Implementing a data breach policy can bring several benefits to your business, helping you proactively address and manage potential security incidents. Here are some ways in which a data breach policy can benefit your business:

1. Effectively manage data breaches - data breaches can result in significant financial and reputational damage to your business. A data breach policy helps you establish a framework to prevent, detect, and respond to data breaches effectively and in compliance with data protection laws. A data breach policy also sets out the best practices your staff should follow to minimise the risk and impact of data breaches.

2. Early detection and response - a data breach policy outlines procedures for detecting and responding to security incidents promptly, minimising the potential impact of a breach.

3. Comply with legal reporting requirements - your company has 72 hours to inform the ICO of an actual or suspected data breach where the data breach could result in a likely risk to the rights and freedom of individuals. Failure to report data breaches that meet this threshold to the ICO will be a breach of data protection laws, so it’s important that your staff know what information to provide, how, where and whom to provide it to. A data protection policy will clearly set out this information for your staff.

4. Protect your reputation - there are few things so dreaded in the world of business as a data breach. In recent years, headlines have been smothered in reports of hefty fines, broken consumer trust, and mismanagement of personal data – all thanks to a data breach. As you can imagine, a data breach policy is a particularly useful document to have in your portfolio to prevent and manage data breaches - without a data breach policy, the risk to your business of suffering a data breach that could damage your reputation (and lose the trust of customers) increases.

What should my data breach policy include?

1. What is a data breach? This section of the data breach policy will explain to readers of the policy how they can identify an actual, or suspected, data breach. It is very important that staff are able to identify data breaches, so that appropriate mitigating and reporting steps can be followed. A data breach could include, for example:

   • access by an unauthorised third party;

   • deliberate or accidental action (or inaction) by a controller or processor;

   • sending personal data to an incorrect recipient;

   • computing devices containing personal data being lost or stolen;

   • alteration of personal data without permission; and

   • loss of availability of personal data.

2. What the staff should do if they suspect there has been a data breach - this section will tell the reader what the notification process is where there has been a data breach - this includes how to report the data breach and the information that should be included in the report. It will also include details of the person at the business responsible for notifying breaches to the ICO.

3. What the business will do in the event of a data breach - this section of the data breach policy will set out the action that will be taken by the business when a data breach is notified to them. This is likely to include:

   • Containment: taking mitigating steps to stop or minimise further loss, destruction or unauthorised disclosure of personal data;

   • Recovery: identifying ways to recover, correct or delete data;

   • Notification: assessing who needs to be notified of the breach. This could include the ICO, data subjects and law enforcement officials; and

   • Recording the breach: all data breaches (whether or not notified to the ICO) should be recorded on a data breach register.

4. Preventing future breaches - this section will set out the steps that will be taken by the business following a data breach to prevent future breaches. It could include:

   • Staff training - it is not enough to just have policies and procedures in place for your business - staff must be trained on those policies and procedures so that they are implemented into the business's day-to-day activities;

   • Implementing new security measures - technical and organisation measures (sometimes referred to as "TOMs") are security measures that a business should have in place to process personal data. The UK GDPR requires that a business only processes personal data securely by means of ‘appropriate technical and organisational measures’;

   • Conducting / updating a privacy risk assessment - a privacy risk assessment (also known as a data protection impact assessment / DPIA) is an assessment of the risk of data processing carried out by a business. For high-risk processing, carrying out a DPIA is a mandatory requirement of data protection laws; or

   • Debriefing team members following the investigation.

Find out more about data breach response plans by reading these FAQs.

Who do I need to notify about a data breach?

Certain data breaches need to be reported to the Information Commissioner’s Office (ICO) and sometimes the affected individuals. Your data protection policy should include a clear process for staff to follow so they know when and how to report data breaches:

• ICO - you only have to notify ICO of a personal data breach if it is likely to result in a risk to the rights and freedoms of individuals. You have to report a notifiable breach to the ICO without undue delay and within 72 hours of when you became aware of it.

• Individuals - if a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO.

Use this handy checklist to help you manage a data breach.

What other internal data protection policies should I have in place?

1. Internal data protection policy - this is the key policy that a business should have in place in order to manage its data protection compliance. It will set out the standards that a business must meet, and the expectations of its staff, to ensure compliance with data protection law in the UK. Docue's data protection policy template can easily be tailored to reflect your business practices. Find out more about DP policies by reading this comprehensive guide;

2. Data retention policy - UK data protection laws include principles relating to storage limitation and data minimisation. These principles mean that personal data should only be kept by your business for as long as it is necessary to achieve a particular purpose. Having a clear data retention policy in place that is followed by your staff can be crucial to be able to achieve (and demonstrate) these principles; and

3. Data protection requests policy - individuals (known as data subjects) have a range of rights under data protection laws. A clear policy can be key for a business to be data protection compliant and handle requests legally. This policy will provide practical guidance for the business's staff, including setting out procedures to identify the individual making the request, when requests can be refused, and ensuring that requests are handled quickly (and within the timeframes set by the UK GDPR).

How can Docue help?

Created by lawyers: Docue’s data breach policy has been created, and is maintained by, specialist privacy lawyers. This means that the data breach policy is kept up to date with ever-changing data protection laws.

Easy to use: To create your data breach policy with confidence and speed, simply click through the intelligent tick box options and text box answers and you’ll have a comprehensive, tailored, and ready-to-use data breach policy in no time. And don't worry - if you get stuck along the way, our lawyer-drafted guidance notes are there to guide you through the document creation process.

Sign up now to use Docue's data breach policy and other data protection policy templates.