In the UK, a data breach must be reported within the first 72 hours of discovery, where feasible, under UK GDPR. The data breach should be reported to the Information Commissioner’s Office (ICO) in the first instance.

Recent news headlines have shown the prevelance of cyber security attacks worldwide, including with Japanese brewing company Asahi and UK based retailers Marks and Spencer and Co-Op in recent months.

One of the cruicial elements of managing a data breach is being able to recognise one in the first place. Many of our clients are quick to recognise a breach, which enables them to report it and manage the consequences quickly, potentially reducing the harm caused. Adequate training is required for this as well as ensuring appropriate policies and procedures are in place to ensure due diligence and thorough approval processes.  

However, despite these, data breaches do sometimes occur and it is important to know, verbatim, what your organisation will need to do to avoid additional damage and potential fines.  

What do I need to do in a data breach? 

If you are the person who recognises a data breach, the first – and immediate – thing to do is to contact your supervisor and the data protection officer of the company. This should be done without delay to ensure that the timeframe for reporting is met. As soon as a data breach is recognised, the clock begins ticking, meaning that from the moment a member of staff notices a breach, the organisation has 72 hours to complete a report for the ICO.  

This is important regardless of the size of the data breach.

The data protection officer and/or information governance team will then be responsible for risk-assessing the impact on individuals’ rights and freedoms, litigating any damage and informing the relevant authorities and individuals.

This should include: 

• The ICO, first and foremost, by completing the self-assessment tool online which will give further guidance on next steps for reporting. 
• Individuals impacted by the breach as stated under UK GDPR. 
• The company board members and other relevant parties. 
• Making a record of the data breach for company files.

Do I need all the information on a data breach before reporting it?

No. It is not required to have collected all information before reporting, as the ICO allows information to be included in phases as and when it becomes available.

Therefore, if not all information is available on first recognising and reporting the breach, the next step will be to work on gathering as much information as possible on the breach, the data involved and the impact this might have.

This investigation should be a priority.  

Following a thorough investigation, adequate reporting and managing any associated impact of a data breach, the next steps are to consider what caused the data breach and how to mitigate it in future.

This could include: 

• Refreshing or improving staff training. 
• Adding additional support or supervision in certain company roles.
• Updating policies and procedures (such as near miss policies, reporting procedures and risk assessment documents).
• Allowing more resources to investigating breaches and near misses, especially if this has occured more than once.  
• Securing personal data through restricting access or improving technical security measures. 
• A full audit to discover any gaps in protection that may leave data vulnerable. 

You may also find that subject access requests increase in volume following a data breach, as well as data related complaints. These should be managed in accordance with company policies and without delay, ensuring the appropriate timelines are followed as per legislation.  

Our organisation is well versed in managing a data breach, having offered this service for our clients for many years.

We can handle breaches on a one-off basis when immediate and expert management may be required, or through our managed service offering, meaning our team can work alongside your team immediately on recognition of a breach.

We also offer training specific to cyber security, or specific role based courses or board briefings, to develop staff skills on recognising and acting appropriately. If you feel we can be of assistance with this, please feel free to explore our website or for more details, do get in touch.