Support Desk: Handling Data Breaches!

By Philip Brining

The weeks in the run up to Christmas was busy for the Support Desk, who were on hand to assist with personal data breaches and near miss incidents.

Data Breaches and Near Misses!

Most of our clients are currently using the Support Desk, based in Leeds. Our clients are provided with a two-part data breach assessment template whereby in the event of a security incident involving personal data, the lead investigator within the organisation records a detailed description of the incident.

Part 1 of the template states the criteria of what the lead investigator should include in the report, for example what personal data/special category data is involved, what categories of data subjects are involved i.e: customers or employees, when the incident occurred, how was the incident discovered and what measures have been taken so far to address the incident.

Part 2 of the template is completed by Support Desk consultants. We assess the report and determine whether the incident can be considered a personal data breach under the definition of the General Data Protection Regulation (GDPR).

A Personal Data Breach is defined in Art.4(12) as:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

For there to be a personal data breach as per the definition there must be:

  • A breach of security; and
  • Personal data.

Assessing the Risk

We establish if there has been a breach of security and whether personal data (i.e information that can identify a living individual) has been unlawfully destroyed, lost, altered, disclosed, accessed or otherwise processed.

Once we have clarified whether the incident can be considered a personal data breach, we assess the impact or adverse effects on individuals, how likely the risk(s) will materialise, the nature, sensitivity and volume of the data breach, the remedial mitigation steps to consider and our judgement on whether the breach is reportable to the Information Commissioner’s Office (ICO).

Investigation

‘Near Miss’ incidents are where personal data has not been compromised. An example of a near miss incident we have handled involved files containing personal data being accidentally moved to an unrestricted area on the shared network. A staff member became aware of the misplaced files and immediately reported the incident to the lead investigator, who removed the files from the accessible area and contacted the Support Desk for advice.

We advised that the IT service provider should carry out a thorough investigation to establish how the files were accidently moved to the wrong location i.e: review all file structures to determine whether other file paths are in the wrong location and set permissions accordingly for the affected files.

Upon investigations carried out by the client and the IT service provider, it was confirmed that no personal data had been unlawfully disclosed. During the period the files were contained within the unrestricted area, investigations found that there was no evidence in the file logs to suggest that the files were accessed.

Accountability

We therefore advised that the incident should be recorded as a near miss in the breach register and the relevant investigation documents are saved within a secured central location. Upon the request of either the ICO or the data subject(s), the client will be able to locate the appropriate information in a timely manner.

Most importantly, we recommend to all of our clients that they conduct regular data protection training and run awareness campaigns to ensure employees are aware of how to minimise the risk of data breaches materialising and are able to identify and quickly report incidents to the breach investigation team.

The majority of data breaches are caused due to human error, it is often the case that inadequate awareness training provided by organisations results in employee negligence, therefore putting people’s personal data at risk.

We believe that refreshing employee’s knowledge on the likely causes of data breaches and how to detect and react to incidents, reduces the number of incidents/data breaches and the potential impacts data breaches have on both the organisation and individuals affected.

Talk to us today and see how the GDPR Support Desk can fulfil your data protection responsibilities.

Nicholas Otley

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.


    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    IMPORTANT INFORMATION

    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

    Data Protection People Limited – March 2021