What to do in the event of a personal data breach (hint: you have 72 hours to act, but don’t panic)

A breach of security which leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, constitutes a data breach, whether accidental or deliberate. The breach must involve personal data i.e. data that uniquely identified an individual, such as a name, contact information or bank account details. If a data breach occurs or is suspected, it is potentially reportable to the supervisory body for data protection in the UK, the Information Commissioner’s Office (‘ICO’).

Personal data breaches may arise in various circumstances, including from ransomware attacks, as a result of human error such as sending an email to the wrong recipient or forgetting to redact sensitive information from a document, a rogue employee selling personal data to a competitor, or due to a misplaced or stolen laptop. The UK General Data Protection Regulation (‘GDPR’) imposes a mandatory obligation on data controllers to report breaches in certain circumstances, as well as to ensure steps are taken to minimise the risk of a breach occurring in the first place.

It is important to note that failure to failure to comply with the GDPR can result in hefty fines of up to 4% of global annual turnover or £17.5 million, so it is crucial that you take personal data matters and any threats to the safety of this data seriously.

The ICO has published a helpful guide on how to respond to a suspected data breach. We summarise the key tips here.

1. Don’t panic
Not every breach reported results in formal action being taken against the data controller. The ICO may simply provide you with advice on how to ensure it does not happen again. The risk of further action being taken is reduced where robust data protection policies and procedures are in place to protect against data breaches, i.e. if you did everything possible to prevent a breach.

2. Be ready to report the breach within 72 hours
If you need to report the data breach to the ICO, you must do so “without undue delay” and in any event within 72 hours. Time starts to run from discovery of the breach, not when the breach actually occurred.

3. Keep a record of the breach
It is recommended that you keep a log of the circumstances of the breach, including how it occurred, why it happened, the data and data subjects affected, who was involved in the breach and when/how it first came to your attention. We would suggest that you have a template log ready to record this.

4. Can you contain the effects of the breach?
Every step possible should be taken to protect the personal data at risk and in turn, the rights of the affected data subject. You should assess whether it is possible to quickly rectify the breach – can you locate a lost laptop or, if this is not possible, remotely wipe the data from it? Can you change passwords to prevent a hacker accessing private accounts? Can you alert data subjects to cancel their bank card if payment details have been stolen? Can you recall an email sent in error?

5. What risks are involved?
You should evaluate the risk and harm caused to the affected data subjects. Common risks may include emotional distress, identity theft, payment details ending up in the wrong hands or even safeguarding issues. On the other hand, a simple mix up, for example sending a non-sensitive email to the wrong person, is unlikely to cause any serious risk to the intended recipient.

6. Protect those affected
If you think there is a high risk to those affected by the breach you should inform them as soon as possible (“without undue delay”) to enable them to take steps to protect themselves. If possible, you should provide them with advice on what they can do, such as changing their passwords, cancelling their bank cards, being wary of phishing emails. Of course, it will be important to balance the risk to the individual with the reputational damage that may be suffered by your organisation. But ultimately your priority is protecting the data subject and their personal data.

7. Report it
You will then need to decide whether the breach needs to be reported to the ICO. You should report a breach if you are concerned that the fundamental rights of the data subjects are at risk. Examples include where sensitive information ends up in the hands of a third party, a ransomware attack where the hacker can access private accounts, or a non-encrypted laptop is misplaced and it is not possible to wipe the data from the laptop remotely.

If the breach is reportable, contact the ICO by telephone on 0303 123 1113 or at their website. Remember this should be done within 72 hours of discovery of the breach at the latest. You will ideally need to provide the ICO with details of the breach, including what happened, when it happened, information relating to your risk assessment and steps taken to contain the breach.

Our recommendations
• Crucially, your organisation should now be looking at implementing robust data protection policies and procedures as well as protective safeguards to ensure, as far as possible, that breaches don’t occur.
• You should undertake a data to audit so that you are fully aware of the personal data you hold and the possible risks to that data.
• Employees must also be trained on the topic to ensure they are taking steps to protect the personal data under their control.
• We would also recommend having a data breach management plan in place to make sure that if a suspected breach does occur, you can record the facts of the breach and deal with it as quickly and effectively as possible.

If you would like further advice on responding to data breaches and taking steps to align your internal processes to protect against data breaches, please get in touch.

Madeleine Rhodes Mrhodes@redfernlegal.com