What is a personal data breach?
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
But what does this actually mean in practice?
- Personal data
- For the data protection rules to apply, the breach must relate to personal data as opposed to purely commercial data which does not relate to individuals.
- Breach of security
- The data breach must be caused by a breach of security and does not include all “non-compliant processing” (for example, a company might be breaching the data protection rules by processing data without a privacy notice but this does not mean it has had a ‘personal data breach’). This links to the requirement that your organisation has appropriate technical and organisational measures in place to protect personal data.
- Accident or deliberate
- The breach can be caused by an accident (such as sending an e-mail to the wrong recipient) or a deliberate act which is unlawful (for example, allowing another organisation to access your CRM system without informing the relevant individuals).
- Destruction, loss, alteration, disclosure or access
- There are three main types of security breach:
- Confidentiality Breaches (disclosure of, or access to, personal data): This includes providing personal information to someone that should not have access to it.
- Integrity Breaches (alteration of personal data): This includes data becoming corrupt and irrecoverable.
- Availability Breaches (loss of access to, or destruction of, personal data): Such as when paper records are lost due to flooding and there are no back-up copies.
What should you do if you suspect a personal data breach?
If you suspect a personal data breach (whether caused by you or someone else), you should know who to tell within your organisation – do you have a compliance team or someone who will be responsible for overseeing the management of the breach? The relevant persons must be told immediately.
Those responsible for managing the response to the breach should:
- Contain, minimise and mitigate the breach, including making a recovery plan where relevant.
- Preserve all evidence relating to the potential personal data breach.
- Assess if the ICO, data subjects or any other parties require to be notified – is it a notifiable breach? If you are a consumer-based organisation, carefully consider the message you are issuing to your customers, supporters or clients.
- Record the details of the personal data breach – this is a legal requirement.
- Evaluate and share your learning within your organisation to ensure it does not happen again – make sure to update and fix any processes or systems which caused the breach.
How can we help?
Our Data Breach Response Team has extensive experience of assisting clients with various types and severities of data breaches – some of which have occurred on a cross-jurisdictional basis, and some of which have been caused by the organisation’s service providers.
If you have a notifiable personal data breach, you only have 72 hours from becoming aware of the breach to inform the ICO. This means that your staff need to be able to act quickly, and a procedure outlining the process for dealing with a breach will assist with this. We regularly assist clients in preparing and implementing personal data breach policies and procedures within their organisations.
The best step in preventing a breach is to have appropriate security measures in place from the outset. This includes having in place good data governance by way of policies, procedures and training. We can help your organisation to identify what policies it needs, prepare and implement those policies, and provide tailored training sessions to staff on the meaning of those policies and how these operate in practice.
Assessing whether there has been a breach
We can assist you in understanding whether or not you have actually had a breach, or if it is instead a non-compliance issue.
For fast and effective assistance, our dedicated Data Breach Response Team can be contacted on 0300 303 1019.
We can assist you in evaluating whether the breach is notifiable to the ICO and in preparing the appropriate notification. We can also help you to understand whether the breach needs to be notified to affected data subjects, and to draft clear communications informing them of the breach.
We understand the need to strike the right balance and assure data subjects that your organisation is dealing with the breach while making sure you satisfy the legal requirements on the content of such notifications. We also find it is useful for clients to put together FAQ documents for customers and other affected data subjects to help manage the questions that data subjects may have following a breach.