Personal data breaches are stressful and time consuming. With breach statistics increasing year on year, the likelihood of an organisation experiencing a breach is extremely high. Because breaches usually occur without warning and at inconvenient times, it pays to be prepared.
Do I have to report a breach?
In some cases, yes. The EU General Data Protection Regulation (GDPR) imposes a statutory duty on all organisations to self – report certain types of personal data breach to the relevant supervisory authority (in the UK, that’s the Information Commissioner’s Office). This must be done within 72 hours of when you become aware of the breach.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without delay.
How do I decide whether I need to report a breach?
Deciding whether or not you are required to self-report a breach and/or inform individuals can be a difficult decision for any organisation to make and we are often called in to advise at this point. There are multiple risks associated with reporting and not reporting a breach and these need to be carefully but quickly evaluated.
What do we need to do before a breach occurs?
You should have stringent procedures in place to detect, investigate and internally report data breaches. These procedures will pay dividends when it comes to deciding whether or not a breach needs to be self-reported. Given that most breaches occur as a result of human error, it is critical that your staff can recognise a breach when they see one, know who to report it to internally and how quickly.
You should also have a Breach Action Protocol ready to spring into action if a breach occurs. This is your ready-made plan to guide you through the entire breach process from assembling your “Incident Response Team”, investigation of the facts, notification of the breach to relevant authorities and individuals affected, managing PR, dealing with intervention and enforcement action through to evaluation and review.
We have expertise in providing support to clients facing a personal data breach at every stage in the process. We also represent and defend clients facing intervention and enforcement action from the ICO following a breach.
Here’s how we can help
- Bespoke procedures for detecting, investigating and self – reporting a breach
- Training staff to recognise and report a breach to your Data Protection Lead
- Building bespoke eLearning packages or mini videos for staff
- Data breach policies
- Data breach legal support service
- Support in dealing with intervention and enforcement action by the ICO