What to do if your business faces a data breach

Companies in the UK need to be aware of their responsibilities in the event of a breach of the personal data they hold. Although the provisions are broadly similar, a breach affecting individuals in the UK will trigger the UK GDPR (and any notifications will have to go to the UK Information Commission Office (ICO)), and a breach affecting individuals in the EEA will trigger the EU GDPR (with notifications going to the relevant EU Data Protection Agency).

What is a data breach under the GDPR?

Broadly defined, a personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data. There will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals. (Information Commission Office).

Potential implications of a data breach for individuals

The implications of a data breach for an individual are many and diverse, and can include identity theft, fraud, loss of confidentiality, reputational damage and/or financial loss. On their own or cumulatively, these can contribute to emotional distress, physical and/or material damage for one or a group of individuals. While in many cases, such adverse consequences are unlikely, it is critically important that businesses do everything in their power to avoid them, to safeguard affected individuals, and to take all necessary remedial steps.

Key steps for businesses to deal effectively with these potential implications

1. Report internally

When it is clear there has been a data breach of any kind, the nominated Data Protection Officer (DPO) should be alerted.

2. Assess internally

The DPO should assess the scope and extent of the data breach by addressing the types of personal data involved, the number of data subjects, the security measures currently in place, the likely cause of the breach).

3. Report externally to the DPO

Within 72 hours, if the DPO determines that there is a “high risk of adversely affecting individuals’ rights and freedoms”, the breach must be notified to the ICO. Conversely, if the DPO decides that the risk is negligible or low, no external report is required. However, details of the breach should still be recorded on an incident report register.

4. Alert affected customers

If it has been determined that a high-risk data breach has occurred, best practice is for the business to alert affected customers at the same time as the ICO so that they can take any relevant safeguarding actions to protect their data. If a business chooses not to take this step, they may be compelled to do so by the ICO in any event. Relevant and transparent details should be provided to customers such as details of the breach, potential impacts and remedial actions being taken by the business.

5. Remedial action

At the same time as the above steps, incident support or technical teams should be working quickly to take whatever necessary remedial action is necessary to fix vulnerabilities in data storage systems, and to prevent further similar breaches from happening.

6. Breach register and ongoing communication with the DPO

A log should be retained of every action and decision taken, and regular communication should be maintained with the DPO.

7. Recovering corporate reputation after a data breach

Once they become public (and this will happen very quickly once customers are notified) data breaches can be highly damaging to corporate reputation if not managed properly. 

Recovering reputation 

Taking care of the following will assist businesses in managing and recovering reputation should this occur:

Breach/crisis response plan

Businesses that have engaged in advance crisis planning will be able to respond much more quickly and effectively to an unexpected data breach thus minimising, and possibly avoiding altogether, reputational damage. There should be pre-appointed key crisis handlers (to include the leaders and CEO).

Timely, direct and transparent communication with affected customers

Some of the negative reputational aspects of a breach may be minimised by keeping a clear and helpful line of communication open with affected customers, updating them on what is happening, addressing their queries (or complaints), and assisting them with any actions they may need to take. Information could be provided on how customers can protect themselves e.g. changing passwords or by being more alert to fraudulent activity on their accounts.

Contingency plans and future incidents

Lessons can be learned from data breaches which can be used to strengthen internal systems, and to provide better services to customers. If businesses can clearly show and communicate this to customers following a breach, it is more likely that a good corporate reputation will be maintained.