You’ve had a data breach, what now?
With businesses storing more and more of their customers’ information online, in addition to collecting ever-expanding categories of personal data, the Information Commissioner’s Office (‘ICO’) is tasked by the government to strictly maintain and enforce data protection rights in the interests of the public. This duty also includes overseeing and assessing personal data breaches in the UK.
If a business suffers a data breach, it may be obligated to carry out a number of prescribed procedures by the ICO. Following the introduction of the Data Protection Act 2018 and General Data Protection Regulation (EU) 2016/679 (the ‘GDPR’), depending on the extent and effects of a breach and a failure to conform to the ICO’s requirements, businesses could now face a potential maximum fine of £17.5 million or 4% of its annual global turnover, whichever is greater.
It is however very unlikely that anyone other than the very biggest businesses would incur these sorts of fines and even then, only for very serious breaches. For most businesses, the real cost of a breach is most likely to be reputational damage and a huge loss in management time dealing with the repercussions.
What is a personal data breach?
A personal data breach is a breach of security which results in the loss, unauthorised disclosure, or access of personal data. Broadly speaking, this occurs when an incident affects or threatens to affect the confidentiality and integrity of personal data stored by or on behalf of a business. This could be the result of a wide range of causes, such as a cyber security breach or even sending a sensitive email to an incorrect recipient.
Once such a breach has occurred, a business must take specific actions in order to comply with the Data Protection Act 2018 and wider ICO guidance. It is therefore important to identify how and where a data breach has occurred as quickly as possible, and act diligently to ensure compliance with any guidance given by the ICO relating to the breach.
It is important to remember that all personal data breaches must be recorded by your Data Protection Officer. Your business’ officer should ensure that their reports provide details such as the facts following a breach, including how the breach came about, the effects of the breach and any action which your company has taken in response. It is important to keep this information up to date as the ICO can demand access to your records for the purposes of their investigation, and it is an offence to fail to keep adequate data breach records.
In certain circumstances you may be required to notify the ICO. This obligation is triggered where there is a likely risk to an individual’s rights or freedoms. When assessing whether you may need to notify the ICO you should look at the severity of the breach, how the breach occurred, the specific data accessed, and what impact the compromised data may have on the individual as a result of that information reaching an unauthorised third party.
For example, could the information accessed be sufficient to allow an ill-intentioned party to commit identity theft? Or perhaps the data is particularly sensitive and the sharing of this places the individual in a compromised position. If you conclude that this is the case, you must notify the ICO immediately. Alternatively, if you determine that information lost is already available freely on the internet unrelated to the breach, for example, you may not need to notify the ICO.
It may also be necessary to contact the affected individual and advise them of the breach. A business must notify an individual where they believe a breach will cause a high degree of risk to the individual’s rights or freedoms. This is a higher threshold than notification to the ICO, but must always be considered nonetheless. Whether it becomes necessary for you to notify the individual will depend on the circumstances and this should be assessed on a case-by-case basis. Broadly, if there is a high risk of the compromised data negatively impacting the rights and freedoms of the individual, you must notify them of the breach.
A notice to an individual should include the circumstances in which the data has been accessed, what has been accessed and how this data could be maliciously used. Depending on the context of the breach further requirements may be prescribed by the ICO.
How to prepare for a breach
Unfortunately, a breach can happen to any business at any time even with the strictest of data protection measures in place, as it can so easily come down to human error. It is therefore key to have a clear plan and policy which can be actioned upon if and when a breach does occur, involving a precise assessment of the impact of a breach which will direct your data protection officer to further necessary steps to be carried out.
Importantly we advise all our clients that it is crucial to give staff the appropriate data protection training from the outset, not only to minimise the risk of staff innocently instigating a breach, but to also help them identify when a breach may have occurred and the steps that follow as a result. This allows businesses to deal with a data breach immediately, rather than waiting to be informed a breach has taken place at which point the effects of the breach and liability of the company may be greater.
How we can help
If you have experienced a data breach and need assistance in the appropriate actions that your business is required to undertake, or require guidance on your data protection responsibilities generally, then please contact our Business & Commercial Team on 01603 620508, who will be able to assess your organisation’s situation and tailor advice that will protect both your business and your customers.
Our Fosters In House team can also assess and advise a range of businesses spanning a vast number of industries. If you think your business could benefit from having ongoing access to legal support, then contact us to schedule a free business health check and receive more information on our Fosters In House services we offer.
This article was produced on the 5th July 2022 by our Business & Commercial team for information purposes only and should not be construed or relied upon as specific legal advice.