Data Breaches and Near Misses!
Most of our clients are currently using the Support Desk, based in Leeds. Our clients are provided with a two-part data breach assessment template whereby in the event of a security incident involving personal data, the lead investigator within the organisation records a detailed description of the incident.
Part 1 of the template states the criteria of what the lead investigator should include in the report, for example what personal data/special category data is involved, what categories of data subjects are involved i.e: customers or employees, when the incident occurred, how was the incident discovered and what measures have been taken so far to address the incident.
Part 2 of the template is completed by Support Desk consultants. We assess the report and determine whether the incident can be considered a personal data breach under the definition of the General Data Protection Regulation (GDPR).
A Personal Data Breach is defined in Art.4(12) as:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
For there to be a personal data breach as per the definition there must be:
- A breach of security; and
- Personal data.
Assessing the Risk
We establish if there has been a breach of security and whether personal data (i.e information that can identify a living individual) has been unlawfully destroyed, lost, altered, disclosed, accessed or otherwise processed.
Once we have clarified whether the incident can be considered a personal data breach, we assess the impact or adverse effects on individuals, how likely the risk(s) will materialise, the nature, sensitivity and volume of the data breach, the remedial mitigation steps to consider and our judgement on whether the breach is reportable to the Information Commissioner’s Office (ICO).
‘Near Miss’ incidents are where personal data has not been compromised. An example of a near miss incident we have handled involved files containing personal data being accidentally moved to an unrestricted area on the shared network. A staff member became aware of the misplaced files and immediately reported the incident to the lead investigator, who removed the files from the accessible area and contacted the Support Desk for advice.
We advised that the IT service provider should carry out a thorough investigation to establish how the files were accidently moved to the wrong location i.e: review all file structures to determine whether other file paths are in the wrong location and set permissions accordingly for the affected files.
Upon investigations carried out by the client and the IT service provider, it was confirmed that no personal data had been unlawfully disclosed. During the period the files were contained within the unrestricted area, investigations found that there was no evidence in the file logs to suggest that the files were accessed.
We therefore advised that the incident should be recorded as a near miss in the breach register and the relevant investigation documents are saved within a secured central location. Upon the request of either the ICO or the data subject(s), the client will be able to locate the appropriate information in a timely manner.
Most importantly, we recommend to all of our clients that they conduct regular data protection training and run awareness campaigns to ensure employees are aware of how to minimise the risk of data breaches materialising and are able to identify and quickly report incidents to the breach investigation team.
The majority of data breaches are caused due to human error, it is often the case that inadequate awareness training provided by organisations results in employee negligence, therefore putting people’s personal data at risk.
We believe that refreshing employee’s knowledge on the likely causes of data breaches and how to detect and react to incidents, reduces the number of incidents/data breaches and the potential impacts data breaches have on both the organisation and individuals affected.
Talk to us today and see how the GDPR Support Desk can fulfil your data protection responsibilities.