Data breaches occur when sensitive personal information falls into the wrong hands. GDPR imposes an obligation on all organisations to report any data breaches within 72 hours of becoming aware of the breach.
To do this, organisations will need to have appropriate processes in place to make sure that data breaches are detected, reported and that there is an appropriate internal procedure in place.
Whatever your business, it is important that you and your staff are able to recognise when a data breach occurs and what measures you need to take to respond to a breach.
Common types of data breaches
The are several ways that a data breach can occur but most are either a result of human error or having insufficient security measures in place. Some of the most common data breaches include:
- Loss or theft of physical files or electronic devices containing personal information;
- Sending emails or attachments to an incorrect recipient;
- Unauthorised third parties accessing information; or
- Employees stealing client information for personal use, for example if a disgruntled employee is looking to leave a company and poach clients.
How can data breaches be prevented?
- Risk assessments – consider how data is backed up and accessed by employees. If employees are working from home, accessing data on remote systems or taking sensitive data home with them, the documents should be recorded and kept track of. Appropriate policies and procedures should be put in place to make sure sensitive data is protected.
- Having a procedure in place to deal with any data breaches that come up
If a data breach does happen, it can’t just be ignored. Having a plan in place for when data breaches do occur will mean that, in most cases, they can be dealt with both quickly and consistently. It will need to be assessed whether the breach needs to be reported to the ICO or if the data subject needs to be informed of the breach.
- Staff training
Training your staff and making sure they are aware of what a data breach is and how they occur will help to ensure that any data breaches are prevented and reported. It is also important to make sure your employees know what the procedure is for reporting data breaches, who they should be reported to and what the implications of a data breach may be.
- Make sure any third parties you’re dealing with have adequate systems to protect company or customer data
If you’re dealing with any third parties who are processing customer or staff data, you should make sure that they have systems in place to secure and protect the data you’re providing to them.
- Learn from mistakes
If you do have a data breach, determining how it occurred can help you put measures in place to prevent the same thing from happening twice. This may include upgrading security systems or potentially carrying out additional training for staff.
Tend Legal, London