If you’re as keen as I am on all things Data Protection related you may have read the recent Data Breach Survey from DLA Piper – it’s an interesting read, the number of reported breaches are up and show no sign of slowing down (so are the fines, but that’s another blog!).
So, do you need to report everything?
Well, not necessarily, but it’s very important that you investigate properly and keep clear records – you must keep a record of all breaches, even if you decide not to report to the Information Commissioners Office (ICO).
A data breach covers any of the following things happening to the personal information that you hold:
- Unauthorised disclosure
- Unauthorised access
And, it covers both deliberate and accidental acts so even if you didn’t mean to do any of the above, it could still be a breach!
If one of these does happen, try not panic (easier said than done!) and follow your own policy or procedures for data breaches. If you don’t have a policy or procedures, I’d recommend that you read the ICO web page on personal data breaches which outlines what they expect you to do in the event of a breach.
They also have a useful self-assessment for data breaches where you answer a few questions about the data breach and it tells you at the end whether you should report it or not.
I will emphasize that your focus should be on the individuals whose information may have been compromised – if you are processing their information and something happens to it (accidentally or otherwise) then you need to fully assess the level of risk to those people and you need to tell them if there is a high level of risk.
I’ve been using the European Union Agency for Cybersecurity (ENISA) personal data breach severity assessment methodology – a long title but to put it briefly, it helps you to rate how much of a risk a breach poses to individuals depending on the type of data and what happened to it.
Remember – you must keep records of all breaches and be able to show why you did, or didn’t, report it to the ICO.
You also need to try and stop a breach from happening again, so after the investigation you may need to change a process, provide further training or take other corrective steps – you should learn from any mistakes.
In the, unlikely, event of a data breach I hope some of this might be helpful. If you need to brush up on all things data protection, the next SCVO training course is:
Introduction to data protection and the GDPR – 12th March in Glasgow
I’ll hopefully see you at The Gathering too – happy Data Protection Day!