Managing a personal data breach
You’ve had a data breach… what next?
We recently wrote about how to protect your data when your workforce is ‘out of the office’. For the vast majority of the UK, this is now the reality of the world they live and work in. However, what happens if your organisation has a breach?
Recent insight from email security firm Egress reported that a third of IT leaders said that main source of breaches occurred when employees had simply sent information to the wrong person, demonstrating that, in many cases, breaches come down to simple human error.
Most organisations will have breaches on a fairly regular basis, for example, emails sent to the wrong person, lost documents at the printers or missing USB sticks.
So, if a breach occurs, how do you manage it? Particularly if all, or the majority, of your workforce is working remotely?
- Prepare - The age-old mantra of ‘prevention is better than cure’ is particularly relevant when it comes to managing a data breach. There are three core things organisations should do to ensure they are prepared, particularly in the current climate:
- Educate - we’re always talking about the importance of training and educating employees to foster a ‘data positive’ culture in an organisation. If your workforce is now working remotely, policies and security standards should be updated and recirculated. This is particularly true when it comes to managing a breach scenario. Make sure you have a team ready to respond remotely with clearly defined roles and responsibilities and, if you haven’t already, ensure colleagues have access to a reliable video conferencing platform. This team should also run stress tests with different scenarios to iron out problems before they occur.
- Limit your data - the best way to reduce the risk of a breach is to regularly audit and limit the amount of data your organisation is holding. The more data that is held, the greater likelihood of a breach.
- Secure your data - it may sound obvious, but ensure any data your organisation holds, both physical and electronic, is fully secured.
- Implement your breach reporting process - having a well-rehearsed breach reporting process is critical, not only so employees know how to report one, but so that they can confidently recognise when a breach occurs in the first place. Reporting processes, and training on how to report breaches, should be in place prior to the event. If an employee is responsible for a breach, they could be nervous about reporting it, particularly if it happened while they were working remotely. A key part of creating a positive culture around data privacy is to ensure employees are not scared about reporting an accidental loss.
- Respond - When it comes to a data breach, particularly in today’s digitally enabled world, time is of the essence. There are a few key things organisations should do to ensure the breach is managed effectively:
- Assess the severity - fundamentally, the GDPR is in place to protect data subjects, so this is what you should base your primary assessment on. Qualify and quantify the exact details of the breach, and then assess and mitigate any potential consequences, firstly to the individuals involved, and then to the business.
- React quickly - severe breaches require reporting within 72 hours - any delay will just add to the stress of managing it.
- Seek external advice - many organisations won’t have the full in-house capabilities to manage a breach, particularly one on a larger scale. If this is the case for your organisation, build a network of external experts - for example, legal, cyber security or communications advisers - that you can call upon to help you manage the breach.
- Communicate - Effective communication is vital when it comes to managing a breach. During a breach scenario, there are several audiences that need to be communicated with:
- The ICO - as mentioned, severe breaches must be reported to the ICO within 72 hours.
- The subjects involved - where personal data is at risk, it is important to inform the subjects affected and provide advice to help them mitigate any risk.
- Internal - key personnel such as senior management need to be kept regularly informed, and designated spokespeople will need to be media trained. All employees will need to be communicated with, as many will be on the front line of any phone calls or emails from those affected by the breach, stakeholders, customers or the media. They need to know what to do, and who to refer queries to, to avoid any misleading information being leaked
- The media and social media - have press statements and media trained spokespeople available and in place in the event of any media interest in the breach. Similarly, ensure social media channels are being monitored, to both help you respond to concerns and correct any misleading information that could be in circulation.
- Evaluate - After any breach, regardless of severity, it is important that it is fully evaluated so lessons are learned. Keeping a detailed account of everything that has happened and the actions taken, which will be required for auditing purposes, will also help your organisation assess where investment in systems or training needs to be focused to help prevent any future breaches occurring.
For more information on The Compliance Space, or to book a demo, contact us at https://www.thecompliancespace.com/book-a-demo