Managing a data security breach
If, despite the security measures you take to protect the personal data you hold, a breach of security occurs, it is important that you deal with the security breach effectively.
A breach may arise from a theft, a deliberate attack on your systems, from the unauthorised use of personal data by a member of staff, or from accidental loss or equipment failure.
However the breach occurs, you must respond swiftly and manage the incident appropriately. Having a policy on dealing with information security breaches is another example of an organisational security measure you may have to take to comply with the seventh data protection principle.
There are four important elements to any breach-management plan:
- Containment and recovery – the response to the incident should include a recovery plan and, where necessary, procedures for damage limitation.
- Assessing the risks – you should assess any risks associated with the breach, as these are likely to affect what you do once the breach has been contained. In particular, you should assess the potential adverse consequences for individuals; how serious or substantial these are; and how likely they are to happen.
- Notification of breaches – informing people about an information security breach can be an important part of managing the incident, but it is not an end in itself. You should be clear about who needs to be notified and why. You should, for example, consider notifying the individuals concerned; the ICO; other regulatory bodies; other third parties such as the police and the banks; or the media.
- Evaluation and response – it is important that you investigate the causes of the breach and also evaluate the effectiveness of your response to it. If necessary, you should then update your policies and procedures accordingly.
At present there is no obligation to report a data breach to the Information Commissioner although some organisations already do so.
However, the new EU General Data Protection Regulation will make reporting data breaches mandatory for those controllers and processors to which it applies and it therefore seems appropriate to commence recording data breaches in a standard format. A form is available to enable reporting. For further information, please also see our guidance available below, "Managing a data security breach".