Have you had a data breach? Your first thought may be to panic and worry about what to do next. But as long as you act on the breach quickly, you’ll prevent further damage down the line. 

In this guide, we’ll touch on the immediate steps to take after a breach and ways to prevent them from happening again. 

What Constitutes a Data Breach?

Data breaches happen all the time—in fact, 30 million people were affected in the UK just last year. So what actions cause one? Whether unlawfully or accidentally, a data breach results from loss, destruction, alterations, unauthorised access or disclosure of personal data processed. 

Examples include your employees falling for a phishing attack, failure to use Blind Carbon Copy (BCC) on a group email, or someone stealing a company laptop with confidential files. 

Human error is the root cause of most data breaches. While data protection is everyone’s responsibility, your senior team is responsible for minimising this negligence with data protection training.

Want to learn more about data breaches? Listen to the Data Protection Made Easy podcast for more insight. 

How Long Do You Have to Report a Data Breach?

You have 72 hours to report a data breach to the ICO unless it is unlikely to result in a risk to an individual’s rights and freedoms. If a risk is unlikely, you don’t need to notify the ICO, However, it is crucial to justify the reason why the breach was not reported in case a complaint arises from the personal data breach.

Depending on the data you process, a data breach can have serious implications, including financial loss, discrimination and loss of confidentiality. In serious cases, affected individuals, such as witnesses in high-profile cases, may be at higher risk of harm. 

How Should a DPO Respond to a Data Breach?

1. Find Out What’s Happened

You should first investigate what data was compromised, how the breach happened and how many people were involved. You need to know the source of the data, who the recipient of the data was, who the impacted data subjects are and whether there is any relationship between the parties involved. 

Data mapping will help identify who’s been affected and give insight into whether the data is high-risk or not.  

2. Contain the Breach

Once you know the source of the breach, start implementing security measures to prevent further damage from happening. Here are some immediate actions to take depending on the cause:

• Cyber incident – If your employees are victims of malware or phishing attacks, everyone should update their passwords and enable security protocols like two-factor authentication (2FA). 
• Human error – If personal data has been sent to someone by mistake, contact them immediately to delete it (if by email) or send it back securely. 
• Stolen company devices – If you offer hybrid working, your team may work in public spaces that are subject to burglary. Should this happen, your IT department should be able to wipe the device remotely so data doesn’t fall into the wrong hands. 
• Lost files – If you can’t locate confidential files, notebooks or other paperwork, search where you were last and ask others to help find it. 

3. Assess the Risk

Whether a breach is reportable or not depends on the risk it poses to others. At this point, you must conduct a risk assessment of the harm that may result from the breach. This assessment is different from a DPIA, which is conducted before processing activities begin.  

First, you need to identify the personal data that has been breached (again, data mapping is essential here). The risk to individuals will increase if the data is sensitive or high-risk. For example, a breach of financial information may lead to identity theft, which is detrimental to the individual. 

You also need to assess:

• Who may have the data – Was it breached internally or externally?
• How many people have been affected – Was it your customers, staff or shareholders – and how many have been affected? 
• How harmful will the breach be – Will the loss or unauthorised access to data lead to an unsafe situation, impact people’s well-being, or cause them to risk losing their jobs or homes? 

A risk assessment will determine the impact on individuals and identify ways to prevent this from happening again. 

4. Contact the Affected Individuals

In a recent statement, the ICO commented on organisations’ responsibility to protect individuals and show empathy when communicating after a data breach. 

Contacting the affected individuals is necessary if the data breach is high risk. When you acknowledge this incident, be empathic in your response and reassure them it won’t happen again. You may want to tell them what steps you’re taking and guide them on what they can do to stay safe during this time.

Even when not legally required to do so, organisations may opt to inform the data subjects affected in an attempt to maintain a reputation and to try to retain confidence between the data controller and the data subjects.

5. Send Your Report to the ICO (If Needed)

Once you’ve completed these steps, you may need to report your breach to the ICO. Remember, this has to be done within 72 hours of becoming aware of the breach, so don’t delay anything before doing it. 

Data Protection People Is Here to Help

While these steps seem daunting, you don’t need to go through them alone. Data Protection People are skilled in handling data breaches for businesses of all sizes and sectors. 

Our data protection support team will be with you throughout the process, from assessing the breach to preventing future risks with GDPR audits and training. 

Need urgent help? Contact our team today.