Under UK GDPR, organisations that hold personal information/data about people have a responsibility to ensure that that data is being dealt with in line with the relevant legislation.
As a result of this, if the data is mishandled in breach of that legislation, organisations must respond in order to minimise that breach. In addition to this, in certain circumstances when the breach is significant enough, they must also notify the ICO.
Therefore it’s vital that as an organisation you are able to recognise a breach when it occurs as early as possible in order to give you the most amount of time to handle the situation, and minimise the breach as best as is possible. This article will help you understand how to recognise a breach, and what steps you must take when a data breach has taken place.
A breach can occur in numerous ways, and can be recognised in the following ways:
1. Access
- Can someone access something they shouldn’t?
2. Alteration
- Is it possible to alter something without permission?
3. Destruction
- Has it been destroyed when it should have been kept?
4. Disclosure
- Did it go to the wrong person?
5. Loss
- Has it gone missing?
In the event of a breach, it’s important that you as an organisation act in a timely manner and in the correct way. Therefore it’s vital that your breach procedure that is included in your Data Protection policy is accurate and details what steps employees must take when they become aware of a breach. If you are unsure if your current data breach procedure is accurate and could be improved upon, we have a model breach procedure document, which can be found on the resources page of the Knowledge Ban, along with other model procedures and policies documents.
Despite each breach being different and potentially requiring slight variations on how you respond, as well as notifying your DPO as soon as you become aware of the breach, there are a number of steps you should take. The first thing you should do when becoming aware of a breach is to do your best to contain it, and minimise the spread where possible. An example of this could be notifying the person/people who may have received an email by mistake to delete the email and ask them not to send it to anyone else. The next step is to report the breach, which would involve notifying management or your data protection lead, as well as your data protection officer. At this step you would report the breach in the Data Breach Log, which must be a detailed description which includes the following:
- A description of the nature of the breach.
- The number of data subjects and personal data records affected.
- The categories of personal/sensitive data affected.
- Likely consequences of the breach.
- Any measures that have been or will be taken to address/mitigate the breach.
It’s important that this step is completed immediately after the first measures have been taken to minimise the breach, as it allows your DPO time to assess the severity of the breach, and whether there has been personal loss sufficient enough to report the breach to the ICO, as well as the necessary subsequent steps to inform the relevant parties and remove any vulnerabilities. After this you must then inform the relevant data subjects that their data has been breached, how it happened and the steps that have been taken as a result of the breach.
After you have contained the breach, reported it to the relevant parties as well as notified the data subject(s) of the breach, the next step is to review. This would involve establishing how the breach occurred and what could have been done to prevent it. Where required, the final step would be to ensure a breach doesn’t occur in the same way in the future. This could mean a change to certain processes, improving security, and ensuring that all staff are sufficiently trained in data protection.
Data breaches must be taken seriously and dealt with appropriately and as soon as possible in order to mitigate the impacts on data subjects, and it is therefore important that all staff are aware of their responsibilities and the steps they must take if they become aware of a data breach. If you have any questions regarding this article or data breaches in general, you can email us at