Support with data breaches
The GDPR/DPA2018 sets out timescales for dealing with data breaches.
Where a report to the Regulator is merited, this must be done within 72 hours and the affected Data Subject(s) must be notified without undue delay.
In addition, there is not only a potential penalty for a breach, but also additional penalty for failing to report a breach in a timely manner.
Whilst we are all mindful of the ICO’s ability to impose fines, financial penalties could pale into insignificance compared to the reputational damage that can arise from public knowledge that your organisation has breached.
Your insurance provider might also be keen to understand what has happened.
In outline, dealing with many breaches takes the following route:
The process in detail:
- We will help you to identify as to whether or not the breach should be reported to the Regulator.
- A key factor in this decision making is an understanding as to whether or not there has been impact on the affected party (the Data Subject).
- If a report is required, we will provide you with guidance as to how to deal with the Regulator and also the Data Subject(s).
- We work with you to identify as to where and how the breach has occurred (so that action or plan can be put in place to plug the gap, to mitigate the damage and to plan for future preventative measures).
- You will naturally want to avoid a similar breach happening again. The Regulator will be of the same opinion and will want to be certain that you are taking steps to avoid a similar incident in the future; whether or not a penalty is issued.
- Having identified the root cause of the breach, which could have been caused by technical failure or human error or malicious action, we work with you to put in place a plan/schedule for tackling the issue, including; discussion with technical providers, staff training, reviews of data/information security procedures/policies and information to Data Subjects.
- There would be an immediate tranche of activity, likely followed by medium-term schedule of touch points where we review your progress and make an independent report, which could be shared with Regulator or your insurer.
- Critically, a paper trail is established that can be used as evidence to be sent to the Regulator or your insurer to demonstrate the action you’re taking