Checklist: managing a personal data breach

Preparing for a personal data breach

1. Identifying personal data breaches

Do your staff know what a personal data breach is? It is crucial that they are able to identify suspected and actual breaches, so that they can be managed appropriately.

A personal data breach is where personal data your business is responsible for is lost, accidentally destroyed, altered without proper permission, damaged or disclosed to someone it shouldn’t have been. Examples of a personal data breach could include:

• access by an unauthorised third party;

• deliberate or accidental action (or inaction) by a controller or processor;

• sending personal data to an incorrect recipient;

• computing devices containing personal data being lost or stolen;

• alteration of personal data without permission; and

• loss of availability of personal data.

Your data breach notification policy should include clear guidance for staff on how to identify personal data breaches.

2. Preventative measures

It is important to have robust measures in place to prevent personal data breaches occurring in the first place. This could include having the following processes in place and ensuring staff are aware of them via your data breach notification policy:

• checking that your IT systems are safe and secure, including via external audits and testing;

• double-checking recipient’s addresses before sending emails and letters, and disabling auto-fill functions;

• checking that attachments and email chains only contain the personal data of the people who should see them; and

• training staff to send bulk emails correctly, such as by using mail merge services.

3. Internal responsibility

It's important someone in your business has oversight of, and responsibility for, dealing with any personal data breaches that happen. You need to provide training, support and resources so they can complete this task effectively for your business.

All other staff members should be told (via the data breach notification policy) who is responsible, and the escalation process that should be followed when an actual or suspected personal data breach is identified.

Managing a personal data breach

4. Assessment of seriousness

To understand how to manage a personal data breach properly, it is important to assess the seriousness of the personal data breach and the risks that stem from it.

To assess the risk, it is crucial to consider how seriously any negative consequences may affect people and how likely those consequences are to happen. A risk assessment should be carried out that considers both the information available when your business became aware of the breach and any new information which comes to light as they investigate. The information being considered should include:

• the type of personal data involved;

• how many people are affected; and

• how they are, or could be, affected, including any negative consequences that could arise.

5. ICO reporting requirements

You must report a personal data breach to the ICO if it is likely to result in a risk to the rights and freedoms of individuals. If left unaddressed such a breach is likely to have a significant detrimental effect on individuals. For example:

• result in discrimination;

• damage to reputation;

• financial loss; or

• loss of confidentiality or any other significant economic or social disadvantage.

You must tell the ICO about any reportable personal data breaches within 72 hours of your business becoming aware of it. The report must include:

• a description of the nature of the personal data breach including, where possible:

• the categories and approximate number of individuals concerned;

• the categories and approximate number of personal data records concerned;

• the name and contact details of the data protection officer (if you have one) or other contact point where more information can be obtained;

• a description of the likely consequences of the personal data breach; and

• a description of the measures you have taken, or propose to take, to deal with the personal data breach and, where appropriate, of the measures you have taken to mitigate any possible adverse effects.

If you are unsure whether a personal data breach needs to be reported to the ICO, you can use the ICO’s self-assessment tool.

6. Notification to individuals

If a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, you must inform those concerned directly without undue delay. A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO.

The notification needs to describe, in clear and plain language:

• what’s happened;

• any likely negative consequences;

• any steps the business took to reduce the negative consequences;

• what people can do to protect themselves;

• what you’re willing to do to help them; and

• how they can contact you to get more information or help.

Learning from a personal data breach

7. Record the breach

All personal data breaches, whether or not they are reportable to the ICO, should be recorded on an internal data breach register / log. The following information about a personal data breach should be recorded:

• its causes;

• what happened;

• the personal data affected;

• the impact on those affected;

• any steps the business took to reduce the consequences to those affected; and

• your reasons for deciding whether or not to report it to the ICO.

8. Staff training

It is not enough to just have policies and procedures in place for your business - staff must be trained on those policies and procedures so that they are implemented into your business's day-to-day activities. This is particularly important after a personal data breach has occurred. Staff should be trained on updated policies and procedures to prevent future breaches from occurring.

9. New or improved measures

Assessments should be carried out to understand whether technical or organisational measures can be implemented to prevent the breach from happening again. Technical and organisation measures (sometimes referred to as "TOMs") are security measures that a business should have in place to process personal data. The UK GDPR requires that a business only processes personal data securely by means of ‘appropriate technical and organisational measures’.

Find out more about data breach policies by reading this comprehensive guide.

Sign up now to use Docue's data breach notification policy template.