Learn How To Respond To A Data Breach

The Information Commissioner’s Office (ICO), the UK’s executive body for the upholding of information rights, define personal data breaches as security incidents that impact the availability, integrity or confidentiality of personal data. This blog post is aimed at organisations who would like to know more about how to respond to a data breach.

We’ll cover important topics such as reporting data breaches to the ICO, when individuals need to be informed, and what data breach prevention steps can be taken to avoid future breaches from occurring. You also see step by step guidance on how your organisation could make an effective data breach response if personal data has been compromised.

It is important to note that the ICO does not issue compensation payments to those affected by personal data breaches. However, it can and will issue a reprimand or even a data breach fine to organisations that fail to uphold their legal obligations under data protection laws, such as the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).

Furthermore, we can help assess the eligibility of data breach compensation claims and connect eligible claimants with one of our No Win No Fee solicitors as part of our services. To chat with our team, you can:

• Call the team on 0330 0434072
• Complete our online contact form here
• Open the live chat window on your screen now

Browse Our Guide

1. How To Respond To A Data Breach
2. Do I Need To Report A Data Breach To The Information Commissioner’s Office (ICO)?
3. Do I Need To Notify Affected Individuals Of A Data Breach?
4. How Do I Make Sure A Data Breach Doesn’t Happen Again?
5. Learn More About Personal Data Breaches

How To Respond To A Data Breach

Organisations must report a data breach to the ICO within 72 hours of discovering it. The incident reporting thresholds for a given data breach can be summarised as any breach that has a ‘substantial impact’ on the user base, but we’ll cover this in more detail later in the guide.

How to respond to a data breach is a core issue for any organisation. The ICO has published written guidance on responding to a data breach, which we have summarised in the sections below.

We have provided some data breach claim examples, using the steps from the ICO guidance, to help illustrate the following sections.

Find Out What Happened

Before any actions can be taken, you will need to establish what happened. Make a log of what has occurred (cybersecurity incident, lost documents, wrong mailing address) with a timeline of events. You should also note how many data subjects were affected and what actions have been taken so far.

So if an email data breach has occurred, where personal data has been emailed to the wrong person, be sure to note down when the email was sent, who it was sent to, what personal information was contained within and what steps you are planning to take.

Getting all the facts together before responding will help ensure that your actions are well-informed and address the situation proportionately and in a timely manner.

Attempt To Contain The Data Breach

There are steps that can be taken to contain a personal data breach which will vary depending on the nature of the incident. For a cybersecurity incident you can change your office passwords and make sure all staff do the same.

In a case where information has been posted or emailed to the wrong person, you could ask them to return it, have it ready for collection, or delete the material from their device.

If you suspect a laptop or other device has been lost or stolen, you can retrace your steps and contact your local authority to see if it has been found and handed into them. You should also report any thefts to the police. If you have the appropriate software installed, you could also wipe the device remotely.

Assess The Potential Risks Of The Breach

Assessing the risks means identifying what harm may be caused to affected subjects. This can range from a simple matter of returning paperwork to where it should be or serious breaches that cause significant and lasting distress. Your assessment will inform your response and enable you to resolve the matter appropriately.

For example, an HR data breach could result in significant distress to affected staff members, especially if the HR department has dealt with issues such as workplace discrimination or pay disputes.

Your risk assessment should include information about what personal information was involved, how the breach occurred, and who potentially could have access to the information. You should also assess whether or not the breach meets the reporting threshold, which we cover below.

Following a data breach at your organisation, any individuals who have been affected by the breach may be eligible to claim for the data breach if they can prove you failed to adhere to data protection laws and they suffered mentally or financially due to their personal data being breached.

Do I Need To Report A Data Breach To The Information Commissioner’s Office (ICO)?

As previously aforementioned, you must inform the ICO of any data breach that has occurred at your organisation within 72 hours of discovering it.

When making this report to the ICO, the information you will need to provide them should include:

• How the breach occurred.
• How and when you discovered the breach.
• Who has been or may be affected by the breach.
• What steps and actions you are taking in response to the breach.
• The contact information of anyone else the ICO may need to contact for more information and if you have informed anyone else of the data breach.

When reporting a breach to the ICO, you should provide as much detail as possible and be as accurate as possible. The ICO will then use the information you provided to decide what should happen next.

They may use it to identify data security incident trends or to take regulatory action. Where appropriate, the ICO may also share this information with a cybercrime and law enforcement agency or other regulators.

Do I Need To Notify Affected Individuals Of A Data Breach?

Individuals affected by the data breach only need to be notified if there is a high risk to their rights and freedoms. When informing an individual of a data breach that has compromised their personal data, the information you will need to provide them includes:

• A description of the nature of the data breach.
• The contact details and name of the data protection officer (if relevant) or other contact point where further information can be obtained.
• What the likely consequences of the personal data breach will be.
• What measures you as an organisation have taken, or intend to take, to deal with the data breach and mitigate the possible adverse effects.

As well as informing individuals that a breach has taken place, you should also monitor and analyse personal data breaches to prevent similar incidents from occurring again.

How Do I Make Sure A Data Breach Doesn’t Happen Again?

Preventing future incidents is a key part of how to respond to a data breach. The measures you take will, in part, be informed by the nature of the breach itself. However, continually reviewing procedures and updating software, training and response plans will be very useful in preventing future breaches.

Some steps that the ICO suggest you as an organisation should take the minimise the risk of data breaches occurring include:

• Ensuring staff are up to date with data protection training and know how to effectively respond if a data breach were to occur within the organisation.
• Ensure data is being securely stored. For example, ensure any paper files containing personal data are kept in a locked filing cabinet that only authorised personnel can unlock and access.
• Make sure that all information held is up to date. This could help prevent personal data from being sent to the wrong postal or email address.
• Regularly update passwords and update cyber security measures to minimise the risk of cyber attacks from taking place or personal data from being accessed digitally.

If your personal data has been breached by the organisation you work for, we could help you with making a personal data breach compensation claim as part of our services:

• Call the team on 0330 0434072
• Use our online contact form here.
• Open the live chat window on your screen now.

Learn More About Personal Data Breaches

You can read some more of our data breach claims guides here:

• You can learn about data breach liability with this guide.
• Read our guide on making a data protection breach at work claim.
• Find out about what constitutes an accidental data breach here.

We have also provided some relevant external resources for additional information:

• The National Cyber Security Centre (NCSC) has published this guidance for small and medium sized organisations to help them protect the personal data they handle.
• A personal data breach can be a source of significant stress. You can read more about the symptoms and access support the the NHS website.
• View the latest data security incident trends published by the ICO using this webpage.

Thank you for taking the time to read this post on how to respond to a data breach. You can contact our advisors to see how we could help you if your data has been breached by an organisation or one you work for.