In 2017, a study was carried out which estimated that the likelihood of being struck by lightning is 1 in 960,000 and the likelihood of a data breach is 1 in 4. If these predictions are accurate or even close, it is likely that every organisation will, at some time, experience a data breach.
What is a breach?
The ICO defines a personal data breach "as a security incident that has affected the confidentiality, integrity or availability of personal data".
How can a breach occur?
A breach can happen when personal data is lost, stolen, copied, destroyed, altered, corrupted or accessed by someone not authorised to do so, or data is passed on without authorisation. Many breaches are accidental and happen through human error
- The wrong recipient receives an email
- A memory stick or other equipment is lost
- Paper records are damaged
- A laptop is corrupted
Some breaches can occur through unlawful acts
- A computer virus
- A mobile, laptop, other equipment, files or bag is stolen
What happens if there is a data breach?
- Early intervention – Identify what has happened and contain the breach.
- Procedures – follow steps in your data breach procedure to ensure there is a planned approach. Appoint individuals who will handle the breach. Contact those who can assist such as your data protection officer.
- Risk to organisation – determine the risk to the organisation and the data subjects.
- Duty to report - GDPR introduces a duty to report certain types of personal data breach to the ICO within 72 hours.
- Inform the individual - If the breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms, you must inform the individuals affected without undue delay.
- ICO investigation - In some cases, the ICO will want to investigate and may visit the business or organisation and carry out a data protection audit. This can be costly and will interrupt the smooth running of the business.
- Claims for compensation – individuals can claim compensation so advise your insurers of the breach.
Steps to consider to prevent further breaches
- Evaluate current systems and procedures
- Improve cyber security
- Limit access to those who can see the data
- Improve destruction processes and policies
- Have back up information both on-site and off-site
- Undertake regular audits
- Train those who handle data
We work with organisations and businesses in a variety of sectors including medical, retirement and third sector. Unfortunately breaches can occur. We are experienced in dealing with and managing all types of breaches to ensure the damage to the organisation and the data subject is contained.
How can Affinity Resolutions Help?
We understand the needs of an organisation to use an outside business. With our unique legal, practical and marketing approach we will ensure that we create for you a bespoke agreement which both meets the GDPR and allows you to carry on your business as you wish