We’re here to help you

When organisations suffer a data breach, it can be stressful. We’ve assisted clients with quite a few. It often happens at the worst time for our clients or when we are all on holiday! Whenever it strikes, though, we are here to support you as best we can.

We have set out some information below about what a data breach is and some immediate steps that you will need to take to respond to it. Please note that this information is provided for general purposes only − you may need to seek specific legal advice from us about your particular situation. If so, we’re happy to help – you can find details of how to contact us below.

Note: if your potential data breach involves a cyber or IT incident, you may also need to seek immediate assistance from your IT team and/or other cybersecurity, incident response and forensic specialists to contain the incident. If you have cyber insurance, you should also report your concerns to your insurer – they often have support services that can respond rapidly.

What is a personal data breach?

Under the General Data Protection Regulation (GDPR) in the UK, a personal data breach is:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.”

It can occur in a range of scenarios, including a cyberattack that enables criminals to access personal data, a ransomware attack, a laptop being misplaced, an email being sent to the wrong person or losing access to important personal data (or even it becoming corrupted).

Remember that organisations must process personal data in a manner that ensures:

“appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).”

That security should be appropriate to the likelihood and severity of risks and take into account factors such as:

• The state of the art (i.e. the technology available).
• The cost of implementation.
• The nature, scope, context and purposes of processing.
• The risk of varying likelihood and severity for the rights and freedoms of natural persons.
• Any specific risks that the processing presents, including employee reliability, compliant sharing with processors/controllers and international transfers.
• Data protection by design and default.

Failure to meet this security requirement is itself a breach of the GDPR.

Watch out! The clock is ticking. There are strict reporting deadlines to comply with if you believe that your organisation has suffered a personal data breach, so speed is of the essence. If the breach meets the threshold for reporting it to the Information Commissioner’s Office (ICO), you must do so without undue delay, and within 72 hours. 

An initial partial response may be acceptable while you continue your investigation and establish further facts, but you will need to provide as much information as you can to the appropriate regulators as soon as possible and follow it up with more information as required (reporting requirements are discussed further below – and of course we are always happy to help).

Our top 10 steps to follow if you believe that a data breach has occurred

If, despite your best efforts to keep data secure, you believe that a data breach has occurred, your organisation has various legal requirements under the GDPR. Therefore, you should follow some immediate practical steps to handle the breach, and hopefully limit the potential fallout.
Read on for our top 10 steps that most organisations should take.

1. Undertake immediate containment and recovery
2. Notify your cyber insurer and other insurers
3. Notify the ICO and other data protection regulators – potentially within 72 hours
4. Assess the ongoing risk and document your breach-handling
5. Notify other regulators or third parties if necessary
6. Notify individuals
7. Notification between controller and processor organisations 
8. Notify or request assistance from other third parties
9. Consider PR and communication plans
10. Evaluate your personal data breach response

1. Undertake immediate containment and recovery of the data

To contain and recover the data as soon as possible:

• Inform your organisation’s data protection officer/responsible person immediately.
• Carry out an appropriate initial investigation to understand quickly what has happened.
• Take any immediate steps to contain the situation. For example:
  • If a laptop has been left on a train, can you call and inform the train driver?
  • If a ransomware attack has happened, have you informed your IT team or support providers and sought immediate advice/action to contain the incident?
  • If user accounts and passwords have been obtained, can you remotely reset passwords or block access to systems?
• Form a personal data breach and incident response team that consists of appropriate individuals from your organisation’s departments. For example, you may need representatives from the senior management team, data protection team, personnel team, IT team, communications and PR teams, legal team and so on.
• Follow your procedures. Ideally, you will be able to enact your data breach procedures and follow rehearsed incident management plans. Don’t worry if you don’t already have these in place – we can quickly help.
• Take any further immediate steps to limit the damage. Consider whether any steps will make the damage worse.

2. Notify your cyber insurer and other insurers

Under your insurance policies, you may have a requirement to notify relevant insurers as soon as you become aware of a breach.

If you hold cyber insurance (and we recommend that you do), you may find that not only do you need to inform your cyber insurer, but they may provide legal and/or consultancy advice to help you handle the situation. Alternatively, they may authorise you to instruct us and other experts, and help you to pay the fees in due course.

3. Notify the ICO and other data protection regulators – if reportable, it has to happen within 72 hours

Assess whether it is likely that the personal data breach poses a risk to an individual’s “rights and freedoms”. If it does, notify the ICO (the UK’s data protection regulator) and, where relevant, other supervisory authorities (or the lead authority) in the European Union (EU).

Note: You must do this without undue delay, and in any event, at the latest within 72 hours of your organisation becoming aware of the breach.

Depending on the nature of the breach, you may have to report in similarly short timeframes to the supervisory authorities or regulators in other jurisdictions too.

We can help you with all of this if you need us – you can find details of how to contact us below. 

If you are a UK-based organisation, you may wish to use the ICO’s free Self-assessment tool for personal data breaches to help you to identify whether the personal data breach is reportable. You may also find it useful to read the ICO’s free advice on initial UK GDPR breach reporting. We recommend that you ask us to review your draft ICO breach report form before you send it. We can often help point out a few things that you might need to think about as part of that report and to put your organisation in the best position at this stage. 

We know from experience that initially, you may not have all the answers that the data protection regulators are seeking. You may need to compile an initial report to meet the statutory deadline while you continue your investigation and establish further facts. You will need to provide as much information as you can to the appropriate regulators as soon as possible and follow it up with more information as required.

4. Assess the ongoing risk and document your breach-handling

Following what may have been an initial investigation and report to the data protection regulators, you will need to continue to investigate the breach and manage the incident. You may also need to send follow-up reports to the regulators as soon as possible. This stage may involve bringing in other specialists to help, such as forensic IT experts. The National Cyber Security Centre (NCSC) has produced helpful Incident Management guidance here and here. 

You should record all breaches, regardless of whether they need to be reported to the ICO. The GDPR requires you to document the facts regarding the breach, its effects and the remedial action taken. This is part of your overall obligation to comply with the GDPR’s accountability principle. It enables the regulators to verify your organisation’s compliance with its notification duties under the GDPR.

Ideally, you will more widely record your near misses also, to help you better plan and protect the organisation going forwards. 

You should be able to enact your data breach procedures and follow rehearsed incident management plans to aid your investigations and reporting. Don’t worry if you don’t already have this in place, though: we can quickly help to set you up with data breach procedures, breach investigation timelines, report templates and so on. You can find details of how to contact us below.

5. Notify other regulators or third parties if necessary

You may also need to report the breach to:

• Other regulatory authorities that your organisation has responsibilities to. If you are in a regulated industry (such as financial or legal services), or a regulated sector (such as education), you may need to notify that regulator.
• Your stakeholders or other third parties as a result of contracts or other arrangements with those third parties.

Hopefully, you will already be aware of the timelines that these regulators and stakeholders have adopted for reporting breaches to them. However, you should note that their reporting requirements may be even faster than the 72 hours required to report to the UK and EU data protection regulators!

6. Notify individuals

Where the personal data breach results in a high risk to the rights and freedoms of individuals, the GDPR requires you to notify a personal data breach without delay to the affected individuals.

This will include consideration of factors such as:

• What is a high risk?
• Could the breach lead to physical, material or non-material damage?
• Is special category personal data or criminal offence data involved? This is very likely to be high-risk.
• Were there effective technical and organisational protection measures in place, or other measures that ensure that the risk is no longer likely to materialise?
• Will notification help individuals to mitigate the damage?
• How is it best to communicate the breach?
• What can individuals do to protect themselves against the impact of the breach? The NCSC has produced helpful guidance for individuals here.

We can help you to consider whether such notification is required – please find details of how to contact us below.

7. Notification between controller and processor organisations 

If your organisation is a processor (this could be a supplier of any kind that is processing personal data for its customers or clients, and includes IT and cloud service providers), the GDPR requires you to notify every personal data breach to the relevant controller without undue delay as soon as you become aware.

As a processor, you need to help the controller manage the risk to individuals. Prompt notification will help both parties to manage the risk properly and swiftly. We can help you with this where required – please find details of how to contact us below.

If your organisation uses a processor, you are required under the GDPR to detail your requirements on breach reporting in the contract between you and your processor.

Consider any breach reporting and handing requirements in controller to controller data sharing agreements, protocols etc. 

Joint controller organisations should also consider breach reporting and handing requirements in the agreed arrangements between them, as required by the GDPR. 

8. Notify or request assistance from other third parties

You may also need to report the breach to – or seek assistance from – third parties such as the police, anti-fraud agencies, cyber agencies such as the UK’s National Cyber Security Centre (NCSC), banks and building societies that may need to take immediate containment steps and so on.

For example, if you have suffered a ransomware attack, the ICO recommends that you contact law enforcement because it plays a fundamental role in protecting individuals. The ICO works closely with various agencies in providing a multi-agency response to ransomware. You may find it helpful to read this ICO article on ransomware and data protection compliance.

The NCSC Small Business Guide to Response and Recovery provides practical advice to smaller and medium-sized organisations to help plan for dealing with incidents such as ransomware attacks. Larger organisations may follow the NCSC’s incident management guidance within its 10 steps to cybersecurity.

9. Consider PR and communication plans

Key to managing your organisation’s risk, and the impact of the personal data breach on individuals, is:

• How you communicate the breach to customers and clients who may have suffered from it.
• Managing the negative publicity that your organisation suffers, and the subsequent potential loss of trust.

If you have specialist communications/PR/customer support staff, you should contact them immediately to discuss appropriate communications in relation to the breach. The NCSC has also produced helpful communications guidance here. 

10. Evaluate your personal data breach response

Regardless of any mandatory/contractual reporting requirements, you will need to investigate whether the breach was a result of human error or a systemic issue. 

Having established this, you will then need to put in place measures to prevent recurrence. This process will include assessing how you have handled this breach and considering whether your response could have been better. You may need to follow up with some or all of the following:

• Data protection or breach-handling policies.
• Data protection training, ideally including some incident response rehearsals.
• Audits and updates to risk matrices.
• Changes to your organisation’s technical and organisational measures.
• Updates to your breach management processes, data breach reports and registers.

We can help

If an extra pair of hands to help handle your data breach response sounds appealing, please get in touch. The best way is to contact us with the subject “URGENT ADVICE REQUIRED”. We will be in touch straight away.

Read testimonials from our many satisfied clients
www.pritchettslaw.com/client-reviews

Copyright in this material is reserved to Pritchetts Law LLP. The views expressed in this material do not, and are not intended to, constitute legal advice; instead, all information is for general information purposes only. It may not constitute the most up-to-date legal or other information. No responsibility for loss occasioned to any person’s action or refraining from action as a result of reliance upon any information in this material can be accepted by Pritchetts Law LLP. If you require specialist legal advice, please contact us about your specific data breach situation, and we will be in contact about our legal advice services and onboarding you as a new client if we can assist.