In its latest Cyber Security Breaches Survey, which was published in March this year, the government reported that 39% of businesses report having had cybersecurity breaches or attacks in the 12 months before the survey and it stated that breaches are a ‘serious threat’ that can have substantial costs for businesses.
What is a data breach?
There are three types of data breaches:
1. A confidentiality breach which occurs when someone accesses personal data they shouldn’t have access to. For example, where personal data is emailed to the wrong recipient – or a hacking incident.
2. An integrity breach happens when personal data is changed by someone who is not authorised to change it. For example, where data is accidentally altered by an employee.
3. Availability breaches happen where data can no longer be accessed and this was accidental or unauthorised. For example, a server failure results in data not being accessible.
What do we do if a data breach occurs?
When a data breach occurs, it is important to carry out an investigation as soon as possible so that you can determine what has happened, assess what you need to do and gather the information you need if a report is to be made to the ICO (please see below).
Do we need to notify the ICO?
A data breach must be reported to the ICO where it is likely to result in a risk to the rights and freedoms of individuals. You will need to carry out a risk analysis to determine whether you need to report a breach and this involves looking at a number of different factors. Failing to notify the ICO of a data breach where you are required to do so can result in a fine of up to £8.7 million or 2% of global annual turnover.
Where a report is being made, it must be made within 72 hours of when you become aware of the breach. If you decide not to report a breach, you must document it in any event.
Should we notify individuals?
Individuals must be notified where a breach is likely to result in a high risk to their rights and freedoms. This is a higher threshold than for notifying the ICO and you will need to determine the nature of any potential risks, their severity and what the likelihood of them occurring are.
What steps can be taken to make sure we can prepare for potential data breaches?
Examples of steps you may wish to consider include:
1. Carrying out a data protection audit of your business (i.e. looking at what personal data you hold and what you do with it) can help you to gain a better understanding of what is being done with personal data and to identify any areas of risk. It can also help to make sure that policies and procedures are being followed and to identify any compliance issues.
2. Training employees.
3. Making sure employees know what to do and who to speak to if there is a data breach.
4. Putting in place risk mitigation procedures.
5. Testing systems and procedures.
6. Reviewing existing contracts to make sure that processors are under appropriate obligations in respect of any data breaches they are responsible for.
7. Implementing a data breach policy that sets out what you will do in the event of a data breach.
8. Where required to do so, carrying out a Data Protection Impact Assessment.
9. Reviewing your insurance arrangements to ensure you have adequate protection and considering arranging other policies such as cyber liability insurance where appropriate.
10. Making sure you understand why previous breaches have occurred and learning from them.
If you require assistance with preparing for potential data breaches or if you would like more information about GDPR compliance, please contact the Corporate and Commercial department at 3CS or your usual 3CS contact.