Written Syan Bateman

Personal data breaches aren’t uncommon, but they can cost time, money and reputation, unless you know how to handle the incident quickly. So, what is a data breach, how does it occur, and how do you deal with it? 

A data breach is when personal information is accessed, disclosed, or deleted without authorisation. It can occur accidentally, for example by sending an email to the wrong person with an attachment containing the personal information of a different person. Or it can occur intentionally, for example an ex-employee with malicious intent towards the company can share personal data held by the company to unauthorised people, in order to get the company in trouble.

All companies should have documented policies and procedures on how to handle data breaches, and all company staff should be informed and trained on those procedures, so that they can promptly take corrective actions.

1. Contain the breach

The most important thing is to try to reduce the impact of the breach. Determine which servers and what data has been compromised and contain them. Contact your IT or security department, recall funds, change passwords, restore backups, etc. 

Internal communication is also key here and throughout the process. Managers and staff should be informed how the breach may affect their work, and if they need to regain access. 

2. Examine the breach

Throughout the breach and its containment, make sure to preserve evidence of what happened and what you did. Keep track of:

• What was the cause of the breach?
• Who was impacted?
• How was the impact of the breach mitigated?
• What are your next steps?

3. Evaluate the risk severity

You should already have a relevant policy and procedure, such as an Incident Notification Policy or a Data Breach Policy. These should contain the common types of incidents your organisation encounters, and a matrix that identifies what a serious incident for your organisation is. 

To assess how severe the data breach is, you can ask the following questions:

• What information was accessed/targeted?
• Who and how many people are affected?
• What was the duration of the incident?
• What was the geographical spread?
• What was the extent of the incident, such as the damage to reputation, or financial impact?
• And what was the extent of the impact?

High risk breaches will often have significant detrimental effects. If you’re uncertain as to the severity of the risk, contact us at info@bivika.com or contact the ICO. 

4. Identify applicable regulation(s) and whether breach is reportable

Some data breaches must be reported to the ICO. A reportable data breach is a personal data breach which presents risk to the rights and freedom of the data subject. If in doubt of whether a breach should be reported, you may ask your DPO, contact us at info@bivika.com, or inform the ICO anyways. Additionally, you may need to identify which regulations your company falls under, and then determine who to report the data breach to. 

• Organisations that provide digital services, such as online marketplaces, search engines or cloud services, come under NIS (Network and Information Systems). If the breach has a ‘substantial impact on the provision of your services’, you must notify the ICO.
• Digital id and trust services’ providers for electronic transactions come under eIDAS (electronic identification and trust services). If the breach has ‘a significant impact on [the] trust service provided’, you must notify the ICO.
• Telecom and internet service providers come under PECR (Privacy and Electronic Communications Regulations) and must notify the ICO in all cases of a personal data breach.
• Health sector organisations should use the Data Security and Protection Incident Reporting toolkit to report all personal breaches. 

UK GDPR (General Data Protection Regulations) 2021 and DPA (Data Protection Act) 2018 apply to all companies. If the breach is likely to result in a risk to people’s rights and freedoms, or is a serious data breach, you must notify the ICO. If there is a high risk, then you must also notify the individuals who have been affected. 

If the breach is also a significant cyber incident, it should be reported to the NCSC (National Cyber Security Center). If the breach may lead to a higher risk of fraud, it should be reported to Action Fraud. The ICO may let you know whether to contact them, or may liaise with them on your behalf, but it is your responsibility to ensure they’re informed. 

The ICO may also notify overseas authorities if relevant.

5. Notifying the ICO and relevant parties

If you’re still uncertain whether you should report the breach, you can take the self-assessment form at https://ico.org.uk/for-organisations/report-a-breach, call the ICO, or contact us. 

Next, if you’re still dealing with the breach and cannot access your own systems, call the ICO.

Otherwise, and especially if you’ve fully dealt with the breach appropriately, report to the ICO online. Include a phone number of someone familiar with the breach in case the ICO need to follow up. 

When you contact them, provide information on:

• What happened,
• How and when you discovered the breach,
• Who is/may be impacted,
• What you are currently doing about it,
• Who you have told.

You do not need to have fully dealt with the problem, nor provide all information, but the ICO should know the potential scope, cause and current actions surrounding the breach within 72 hours. Further information can be provided later, when uncovered.

If any third parties are affected by the security incident, they should also be notified, such as any end users relying on the integrity of a trust service.

6. Implementing improvements

Once the breach and its reporting has been resolved, make sure to identify the causes of the breach, and use it to improve your security in order to ensure a similar breach doesn’t happen again. 

If you want to ensure your company is secure and compliant with data protection law, or if you’ve just had a data breach and want more advice, contact us at info@bivika.com.