Under GDPR, every organisation should be adopting strategies and designing processes to ensure the privacy of personal data is protected. In the rush to ensure their organisations were handling personal data compliantly by 25 May, some may have overlooked the need to have an effective internal plan in place to deal proactively with a breach.
A personal data breach occurs when there has been a breach of security, so whether you have emailed medical records to the wrong John Smith, left your laptop containing personnel records unlocked on a train, or your online payment system has been the subject of a ransomware attack, the incident will be considered a data breach.
What should you do if a breach occurs?
The steps to take following a data breach will depend on the nature of the breach, the type and volume of the data, and who has been affected. It is vital that every organisation handling personal data has a robust Incident Management Plan (IMP) in place, before a breach occurs. The core purpose of an IMP is to minimise harm, both to your organisation and to the individuals affected. Failure to do so could significantly impact the reputation of your organisation.
The IMP, as with any business continuity plan, should include details of who the breach needs to be reported to, who will take the lead in coordinating the response to the incident, and name the people and their role in your organisation’s response team. The issue may have an impact across the organisation, so identifying who represents each department is important, and your plan should also address the question of when to bring in your lawyers.
All personal data breaches, whether they are serious enough to notify the Information Commissioner’s Office (ICO) or not, must be recorded. You should therefore keep a central file that not only contains your Data Protection Policy and the IMP, but a register of each breach, containing the facts, the impact and remedial action taken.
What should the response team do?
Once the response team is established, it will need to implement the IMP and progress through the following five stages:
- Preliminary assessment – identifying the source and nature of the breach
- Containment – if the breach is ongoing, you will need to secure the system to prevent further loss and seek to recover any data affected (from your most recent back-up)
- Detailed assessment – establish how the incident occurred, whose data was affected, how sensitive the relevant data is and what other impact the breach has caused
- Notification – if the breach is serious enough, you must notify the ICO without undue delay and, ideally, within 72 hours of becoming aware of it. You will also have to consider whether you should notify anyone who has been affected
- Prevention – once the initial breach has been dealt with, you need to evaluate if, and how, your systems can be improved to prevent future similar threats or breaches. Consider also if further staff training would mitigate the risk of a future breach. Be aware that persistent breaches, especially those which could have been corrected after the first occurrence, are likely to attract the unwelcome attention of the ICO.