How to report a data breach?
When it comes to the security of information and the protection of our personal information, people expect that companies do everything they can to ensure that there will be no data loss. However, at times, an incident may occur where some data is either lost, stolen, accidently published. When this happens, you need to be sure you know how to report a data breach correctly.
What is a data breach?
Before we can report a breach, we first need to understand what one is. When defined under the GDPR, a personal data breach is defined as “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.
Personal data is also defined as information relating to any natural living person.
This GDPR definition can cover a wide range of scenarios such as:
- Accidently sending someone an email that was not intended (for example in CC’ing them)
- Accidentally sending someone another person’s information
- Leaving personal information (such as name, phone number, address) exposed for other people to view easily
- The deliberate deletion of someone’s record with a computer-based system
- Not keeping personal information up to date and current
The above list is not the definitive list of what is classified as a data breach; however, it shows that there are numerous ways that by not being careful you could cause a breach without thinking.
When it comes to breaches, the main one that people will think about is where a company has been hacked, or compromised in some way and that the data has either been stolen, deleted or worse ransomed. When it comes to this type of breach, it is easy to see that the information has been unlawfully accessed, potentially deleted or altered without authorisation.
There is, however, a sunnier side to this, if you can call it that. This is that not all data breaches need to be reported to the UK’s Information Commissioners Office, the ICO.
When to report a data breach to the ICO?
If you think that you have had a data breach within your business, no matter how small or accidental you should speak to your Data Protection Officer (DPO), if you have one. If you don’t have one and you are unsure of what to do, you can talk to the ICO and they will help you get to the bottom of it.
Additionally, you should also invoke your incident management plan and work with the DPO or the ICO and investigate the root cause. You should ensure that this doesn’t happen again and that remediations are put in place to stop this. This could be technical controls or something as simple as training.
When it comes to the actual reporting, you need to act quick, you need to identify what was accessed, how it was accessed and what the likelihood is that the data breach has impacted the freedom and rights of a natural living person.
How to identify a breach?
We know what a data breach is, we know when we should report a data breach, but how do we actually know how to identify a data breach? As we’ve mentioned a few times throughout this article a data breach is when someone’s personal information has been unlawfully given out, amended or deleted through various actions.
You may not realise that this has happened for a while, but as soon as you know something has happened, you need to act and investigate, and where appropriate, report.
You may realise that a breach has happened because someone realised they CC’d someone into an email or emails, someone may have been reviewing system logs and found information there, or you may have been subject to a ransomware attack and your data is all encrypted.
If you aren’t sure whether you have suffered a data breach, the UK’s ICO has an easy step by step assessment form which takes you through the process and helps you understand the level of severity. This can be found here: https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach-assessment/
As part of the data breach reporting process, you have time limits in which you must act. Under Article 33 of the GDPR, it states “in the event of a personal data breach, data controllers should notify the appropriate supervisory authority without any undue delay and, where feasible, not later than 72 hours.”
This means that, you, as a data controller (the person who controls the data), must inform the ICO as quickly as possible once you have identified a breach.
What do I need to provide?
Before you pick up the phone and start talking to the ICO, you first need to have some information to hand and ready to provide to the ICO. The ICO have a page which explains what you need to provide: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/#authority
InfoSec Governance Services
We hope that this article helps you understand what you need to do in the event of a breach. By implementing Cyber Essentials processes and becoming certificated, you can help reduce the chances of a data breach. Additionally phishing and awareness training can also help safeguard against possible breaches. We also offer dark web scanning solutions to help keep an eye on your company domain name and email addresses on the dark web, if they are released on the dark web we would inform you, allowing you to check your systems for compromise.