Top 5 FAQs about data breach response plans

1. What is a data breach response policy?

A data breach response policy (also known as a data breach response plan or data breach policy) is an internal policy document that includes the processes and procedures to be followed by a business’s staff in order to identify, manage and mitigate data breaches. A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data.

A data breach response plan can be a key tool in ensuring that the effects of a data breach are managed and minimised, and that data protection laws are complied with by staff in relation to the reporting of data breaches to the ICO and to individual data subjects affected by the breach.

Find out more about data breaches by reading this comprehensive guide.

2. What should be included in a data breach response plan?

1. Identification - it is vital that staff are able to identify a data breach when it has occurred. A data breach response plan should include clear guidance to staff on how to identify a data breach, including examples of the types of incidents that amount to a data breach. If data breaches occur but are missed, there is a risk that your business does not comply with the requirements of data protection law when responding to that breach. Early identification is key to minimising the effect of a data breach too.

2. Mitigation measures - the data breach response plan should include measures for mitigating the impact of a data breach. This can include processes to identify breaches early on, put in place additional security measures and liaise with third-party experts where required.

3. Internal reporting - a clear escalation process should be set out in the data breach response plan so that staff know who to report data breaches to. A culture should be created at your business that allows staff to feel that they can report breaches to senior management without fearing the consequences.

4. Notifications - certain types of breaches must be reported to the ICO and/or the individuals affected by the breach and this should be clearly set out in your data breach response plan. Failure to notify reportable breaches is a breach of data protection laws. Find out more about notification in question 3 below.

5. Lessons learned - it is important to take remedial action after a data breach to ensure that a similar incident does not occur in the future. The investigation process should be set out in your data breach response plan. You can find out more about preventative actions that can be taken in question 4 below.

3. Who do I need to notify about a data breach?

Certain data breaches need to be reported to the Information Commissioner’s Office (ICO) and sometimes the affected individuals:

1. ICO - you only have to notify the ICO of a personal data breach if it is likely to result in a risk to the rights and freedoms of individuals. You have to report a notifiable breach to the ICO without undue delay and within 72 hours of when you became aware of it. Failure to report a breach is this timeframe will be a breach of data protection laws; and

2. Individuals - if a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO.

4. Are any other steps required under the UK GDPR as part of a data breach response plan?

Yes - Article 33(5) of the UK GDPR requires you to document the facts regarding the breach, its effects and the remedial action taken. This is part of your overall obligation to comply with the accountability principle, and allows the ICO to verify your organisation’s compliance with its notification duties under the UK GDPR (in the case of reportable breaches). Find out more about how to record breaches in question 5 below.

In addition, it is important to carry out a thorough investigation into how the breach occurred, in order to prevent a similar breach in the future. This is particularly important where the breach has been caused by human error that could easily have been avoided. These types of preventative actions could include, for example, the following actions that are recommended by the ICO:

• mandatory data protection induction and refresher training;

• support and supervising until employees are proficient in their role;

• updating policies and procedures (including your data breach response policy) to ensure it is comprehensive and clear enough for employees to feel able to report incidents or near misses;

• working to a principle of “check twice, send once” when sending emails or other external communications;

• implementing a culture of trust – employees should feel able to report incidents of near misses;

• investigating the root causes of breaches and near misses; and

• introducing measures to protect the personal data you are responsible for. This could include, for example: (i) restricting access and auditing systems, or (ii) implementing technical and organisational measures, e.g. disabling autofill.

5. How do I record a data breach?

Businesses should maintain a data breach register that details all actual or suspected data breaches. The data breach register / data breach log should include:

• the facts surrounding the breach;

• the effects of the breach; and

• remedial action taken.

The ICO's template data breach log can be found here.

Sign up now to use Docue's data breach response plan template.