When and how to notify a data breach

Almost all organisations have had a data breach. Some of them know they have had a data breach. Most probably don’t. People tend to think that a data breach is caused by a hacker breaking into an organisation’s systems and gaining access to customer personal information for malicious purposes. The reality is that personal data breaches are far more likely to be the result of careless mistakes by employees than the work of hackers. In fact, 90% of UK data breaches are caused by human error.

By Claire Heaphy

Privacy Compliance Hub Information Officer

February 2020

It is virtually impossible for any organisation to eliminate the chance of a data breach happening ever.  But what every organisation can do is take all steps necessary to minimise the risk of a data breach happening.  This, combined with being prepared and knowing what action to take if a data breach does occur will lessen its effects.  

Organisations using the Privacy Compliance Hub know what they must do if they suffer a data breach, who is responsible for doing it and when it must be done by, all of which will limit the risk of fines, bad publicity and loss of vital customer trust.  Planning ahead will free up valuable time to contain and recover the breach itself.

Types of personal data breach (‘CIA’)

A personal data breach is not just unauthorised disclosure or access to personal information (a ‘confidentiality’ breach).  It also includes loss or destruction of personal information (an ‘availability’ breach) and alteration of personal information (an ‘integrity’ breach).

When, who and how to notify a personal data breach

Organisations must notify certain personal data breaches to the regulator (also called a relevant supervisory authority such as the ICO in the UK) and sometimes to the affected individuals as well.  Failure to notify a data breach when required is itself a breach of the GDPR. The ICO has a useful self-assessment tool to help organisations determine whether a breach needs to be reported.

Notification to the regulator

All organisations are required to notify the relevant supervisory authority (the ICO in the UK):

  • if a data breach is likely to result in a risk to the rights and freedoms of individuals (the severity of the potential impact on individuals as well as the likelihood of it occurring should be considered);
  • without undue delay and, where feasible, within 72 hours; and
  • in phases, if need be, as more information becomes available.  An organisation should not wait to notify until it has all the relevant facts.

Notification to affected individuals

The individuals whose personal information has been compromised must also be notified:

  • if the breach is likely to result in a high risk to the rights and freedoms of individuals eg. they are at risk of discrimination, physical harm, identity theft or fraud, financial loss or damage to reputation (completed data protection impact assessments will assist in assessing the risk level);
  • without undue delay and informed of the steps they should take to protect themselves eg. change their passwords.

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

How to prepare for a personal data breach 

  • Have an up-to-date internal breach reporting procedure and an incident management plan – so you know exactly who needs to do what and when if you have a breach.
  • Identify the Lead Supervisory Authority identified in your incident management plan If you undertake cross-border processing in the EU.
  • Check that your processors are contractually obliged to notify you immediately of any breaches – data breaches must be notified to the supervisory authority as soon as possible and generally within 72 hours.
  • Ensure you have adequate security measures in place so that even if you suffer a security breach, personal information is not compromised.  
  • Train all your staff regularly – the majority of breaches happen due to staff carelessness, not because of hackers. 
  • Document everything – maintain a record of data breaches which includes reasons for any decision to notify or not.   The GDPR mandates that all personal data breaches must be documented.

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

A culture of continuous privacy compliance 

In our view, the very best way to reduce the risk of a personal data breach happening and to minimise its effects if it does happen is through a cultural shift in your organisation.  At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information.  Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with the GDPR and other privacy rules. It contains everything that you need.

More to watch and read