GDPR: A five step guide to dealing with a data breach

The General Data Protection Regulation (GDPR) has now come into effect and with it comes new and more onerous reporting and record-keeping requirements in relation to data breaches.

Even with the best technical and security measures in place, the reality is that organisations and the people within them are fallible. Therefore, data breaches can and will occur. We have produced a five step guide on how to best address this eventuality.

Step 1: Recognising a data breach

It is vital that staff are trained to recognise a data breach so that they can, in turn, promptly take steps to address it. There will be a data breach whenever personal data is lost, destroyed, corrupted, altered, disclosed or accessed without proper authorisation. This includes breaches that are the result of both accidental and deliberate causes. Some examples of data breaches include:

  • Access by an unauthorised third party;
  • Sending personal data to an incorrect recipient;
  • Computing devices containing personal data being lost or stolen;
  • Alteration of personal data without permission; and
  • Loss of availability of personal data.

Step 2: Containing a data breach

On becoming aware of a breach, staff must immediately communicate it to the individuals within the organisation who are responsible for data protection e.g. a data protection officer and who will have a response plan in place to prevent further damage being caused. Communication in the event of a data breach is crucial to the containment of damage and should be encouraged amongst staff.

Step 3: Assessing a data breach 

This step requires assessing the potential adverse consequences of the data breach, in particular the risk to the data subject’s rights and freedoms. Recital 85 of the GDPR explains that:

“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned”.

This means that a breach can have a range of adverse effects which include emotional distress, reputational, physical and financial damage. You will need to analyse this on a case by case basis, looking at all relevant factors such as the type of data involved, how sensitive the data is, how many records were affected, what impact the records being made public will have on the data subject and whether encryption was used.

This analysis will assist in determining the likelihood and severity of the resulting risk to the data subject which will, in turn, facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.

Step 4: Reporting a data breach

Information Commissioners Office (ICO) - If after undertaking your assessment, you determine that there is a likely risk of harm to the data subject’s rights and freedom, then you must notify the ICO. You must do so without undue delay and within 24 hours, but in any event within 72 hours of becoming aware of the breach. If you take longer than this, you must give reasons for the delay. The ICO must be provided as a minimum with the following details:

  • The nature of the breach, including the approximate number of individuals affected and the categories of data that have been breached;
  • Contact details of the organisation’s data protection officer or other contact point where more information can be obtained;
  • The likely consequences of the personal data breach;
  • The measures taken or proposed measures to be taken by the organisation to address the breach.

If the risk of harm is unlikely then you do not have to report it, but you do need to justify your decision and should document it.

Data Subjects - If the breach is likely to result in a “high risk” to the rights and freedoms of the data subject, you must also inform those directly concerned without undue delay.

A “high risk” means the threshold for informing data subjects is higher than for notifying the ICO. However, this additional notification will not be required if:

  • Appropriate technical and organisational protection measures have been implemented and applied to the affected personal data;
  • Subsequent measures have been taken to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialise; and
  • It would involve disproportionate effort to notify individual data subjects. In this circumstance, a public announcement may be more appropriate.

Remember that failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

Step 5: Recording a data breach

Organisations must keep a record of any personal data breaches, regardless of whether they are required to notify and they must also document their decision-making process in line with the requirements of the GDPR accountability principle.

By implementing robust breach detection, investigation and internal reporting, organisations will be putting themselves in the strongest possible position to meet the above strict requirements and to do so within the tight timeframe provided.  

CONTACT CHRIS

If you would like more information or advice relating to this article or an Employment law matter, please do not hesitate to contact Chris Cook on 01727 798089.
Read our latest views & insight about the GDPR
Stained glass window
Views & Insights
ICO publishes final version of guidance on consent

Head of employment at SA Law St Albans, Chris Cook, discusses the ICO's guidance on consent

Read More
Stained glass window
Views & Insights
Employers feel unprepared for GDPR deadline

Partner Keely Rushmore comments in People Management on the GDPR and how companies weren't ready for the changes

Read More
Divorce and family law red chair
Views & Insights
EU data is slowing the divorce process

Head of family law at SA Law, Marilyn Bell examines how the GDPR could potentially add more complications to the divorce process

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR affects your mergers & acquisitions too

Acquiring or merging with another organisation means expanding the personal data you hold, whether related to employees, customers, suppliers or other…

Read More
Stained glass window
Views & Insights
GDPR for HR

Solicitor Emma Gross explains why HR professionals should revisit their data protection practices ahead of the GDPR

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR and Information Security: Are your employees trained to protect data?

With just a short while before the General Data Protection Regulation (GDPR) is implemented into UK law, there are many good reasons to check whether…

Read More
SA Law Red arrow neon light image
Views & Insights
What is the difference between ‘data controller’ and ‘data processor’?

It seems fair to say that most organisations are aware that they are subject to obligations under data protection laws and the extent to which they are…

Read More
SA Law Red arrow neon light image
Views & Insights
Charity worker fined for unlawfully obtaining personal data from his employer

Recent case highlights importance of obeying data laws after charity worker fined for misusing personal data.

Read More
GDPR Numbers Image
Views & Insights
GDPR: What should I be doing?

Following a successful run of GDPR compliance events, SA Law's Data & Privacy team share how you can start preparing for the GDPR.

Read More
Green and Red Lights
Views & Insights
GDPR: 12 key changes

Emma Gross explains the 12 key changes to data protection law you need to know.

Read More
Stained glass window
Views & Insights
Information Commissioner demystifies GDPR consent

Head of Employment & Data Chris Cook gives clarity on consent within the GDPR.

Read More
Stained glass window
Views & Insights
How to prepare for the GDPR

The GDPR comes into force on 25th May 2018, but organisations are recommended to start preparing for the changes as soon as possible to avoid non-compliance…

Read More
SA Law Red arrow neon light image
Views & Insights
ICO issues guidance on preparing for the EU General Data Protection Regulations (GDPR)

As many organisations will be aware, the existing EU data protection provisions are due to be reformed by the GDPR which is expected to receive formal…

Read More
Views & Insights
What every business needs to know about The General Data Protection Regulation

Legislative bodies in Europe have agreed radical reforms to European Union data protection guidelines but it will take time, money and careful planning…

Read More
Stained glass window
Views & Insights
ICO prosecutes company employees for unlawfully accessing client data

A former employee of Lex Autolease Ltd has been prosecuted and fined under section 55 of the Data Protection Act 1998.

Read More
Stained glass window
Views & Insights
ICO issues record £400,000 monetary penalty notice for TalkTalk data breach

The Information Commissioner has issued a record £400,000 monetary penalty notice to TalkTalk Telecom Group plc for failing to keep personal data secure.

Read More
Stained glass window
Views & Insights
Government introducing personal liability for directors for nuisance call fines

Amendments to the Privacy and Electronic Communications Regulations 2003, announced and to be introduced in spring 2017.

Read More
Stained glass window
Views & Insights
Government officially confirms adoption of the GDPR

On appearing before the Culture, Media and Sports Select Committee on 24 October 2016, the Secretary of State Karen Bradley MP, confirmed that the UK…

Read More
Stained glass window
Views & Insights
Departing employee convicted of taking client records before joining rival firm

Employees risk both criminal prosecution and civil action for unlawful use of information belonging to employers.

Read More
Intellectual Property, fonts
GDPR Assist
GDPR Definitions & Who's Who

Helping you get up to speed with everything GDPR

Read More
GDPR Numbers Image
Views & Insights
Fill in the details

Head of Employment and Data Chris Cook examines the importance of staff training when it comes to payroll and the looming GDPR.

Read More
SA Law commuters on London Bridge
Views & Insights
Data Protection Bill under challenge

Gemma Jones, Head of Immigration, explains the immigration exemptions within the upcoming GDPR

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR and Information Security: Are your employees trained to protect data?

With just a short while before the General Data Protection Regulation (GDPR) is implemented into UK law, there are many good reasons to check whether…

Read More
Banner image red car light moving
Views & Insights
Draft Data Protection (Charges and Information) Regulations 2018 and guide published

The draft regulations are of course, subject to Parliamentary approval but, given that there is limited time until the GDPR, they are unlikely to change.

Read More

© SA LAW 2018

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.