How to identify and react to a data breach
Preparation is essential when it comes to data protection. Many startup organisations are unsure how to recognise a breach, how to react, and how to respond. Failure to report a violation is usually down to a lack of knowledge, expertise, and data protection training. Training your staff in how to identify and respond to a personal data breach can save you a whopping fine, of up to €20m or 4% of your global turnover, later on.
Here's how to identify a data breach and what to do when it happens.
What is a data breach?
According to the General Data Protection Regulation (GDPR), a personal data breach is 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.'
Personal data is anything from a private address to medical records.
Often startup organisation over-report data breaches to avoid any risk of possible sanctions. Although personal data breaches vary in severity, you should keep a record of every single one.
How to identify a data breach
So you know what a data breach is, but do you know when to report it? If a data breach 'results in a risk to the rights and freedoms of natural persons', report to the Information Commissioners Office (ICO.) For example, the data may disclose sensitive or confidential information that could harm an individual's privacy. This can be anything from identity theft, losing hard copy notes, gaining unauthorised access to someone's computer or damaging a person's reputation.
Remember that the context, scale, and sensitivity level are far more critical than the breach's nature. Unfortunately, breaches can happen from human error and genuine mistakes, but they are breaches, nonetheless.
GDPR has a whole guide on reporting thresholds if you are unsure of the severity of the personal data breach in your startup.
Assess each breach individually to determine whether they need to be reported. Although some breaches cause minor inconveniences, others can emotionally damage multiple individuals. Even if you don't feel that you need to report the breach, keep a formal document if you need to justify this decision in the future.
What to do when your business suffers a data breach
Report the personal data breach to the relevant authority within 72 hours of the point of discovery. Your staff should be trained in how to identify a violation and whom to report it to. For example, they may turn to a Data Protection Officer to handle the rest of the formal procedure. Bear in mind that the reporting staff member may feel embarrassed by their mistake in data protection and are, therefore, less likely to come forward. Make it clear during data protection training that not reporting a breach is far worse.
Once you have identified the breach, establish what happened, the personal data involved, the number of people affected, and the severity of the impact. Report to the ICO by phone and provide as many details as you can. You can always provide more information later on.
Even if the breach was against you, it is still your responsibility to control the aftermath. However, if you have suffered a financial loss because of this violation, look into data protection breach compensation for more help.
If the breach is 'high risk' to individuals' rights and freedoms, they need to be notified as soon as possible so they can take proper precautions. If it's impossible to inform the individual directly, release a public statement.
Make sure ICO can see the security measures you have in place to avoid any negligence claims.