I had a discussion a little while ago with Phil Brown of C J International Services about a data breach response training tool he had been working on and was invited to take part in the trial. It was a great success and the product is now available for all businesses to take advantage of.
I suggested that he write a guest post for this blog and I am delighted to be able to share it with you today. I hope will be the first of many over the years from partner firms that I hold in high regard and whose activity dove-tails well with what Sirelark offers in the risk and insurance space.
At some stage every business is likely to experience a data breach or discover that it was committing an infringement of the law by not having the appropriate measures in place to safeguard personal data (for which they are responsible in law).
Depending on a business’ state of preparedness, the consequences of a breach could vary between a catastrophic, reputation-ruining event on the one hand, and a low impact, lesson-learning event on the other.
A personal data breach is a breach of security which has an impact on the affected data (see Article 4 of the UK GDPR for the complete definition). It could be caused by human error, deliberate intervention (internally or otherwise) or a natural disaster. A responsible business simply cannot ignore a breach event, however it was caused. Those that do, run the risk of experiencing much more damaging consequences later.
Ideally, a business proactively performs a risk assessment and puts in place appropriate technical and organisational measures – commensurate with the risk that the business faces – to fulfil their data protection obligations and help the business recover quickly if a breach does occur.
Typically, the reaction to a breach incident is categorised into 4 phases:
- Containment and recovery – “stop the situation getting worse”
- Assessment of ongoing risk – “recap what risks are you’re exposed to”
- Notification of the breach – “tell someone what has happened”
- Evaluation and response – “learn the lessons”
Clearly responding to an incident without a plan – reacting ‘on the fly’ – rarely results in a satisfactory outcome. On the other hand, developing a plan with the input of key stakeholders – and rehearsing it and providing training – is going to result in a structured and considered response. And even if the plan subsequently proves to be less effective than required or hoped for, it is better than nothing.
Amid the typically frantic activity that follows the discovery of an ‘incident’, your appointed data protection manager will be called upon to decide whether a data breach has indeed happened. And if there has been a breach, it must also be decided whether it is serious enough to be reported to the Information Commissioner’s Office (ICO) and whether the affected individuals should be informed.
There is a lot to think about and decisions to be made and importantly they need to be acted on within the time limits set by the regulations.
How is your business preparing itself for a personal data breach event? Data protection awareness training is an important and valuable part of that process. It will help staff understand their role in processing personal data and impart the knowledge required to ensure that your business fulfils its legal responsibilities following a breach under the General Data Protection Regulations.
If you want your business to be better prepared, you might want to consider enrolling your management and staff onto the CaPS on-line data breach management course by clicking https://caps-ltd.co.uk/product/data-breach-management-course/.
Following the successful completion of this CPD accredited course, attendees will be provided with a certificate of attendance which will help demonstrate your business’ data protection risk preparedness.
For further information please get in touch with me, Phil Brown. My contact details are on my website: https://www.cjinternationalservices.com/.”
This post article is of general interest and is not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. © 2021 C J International Services Limited. All rights reserved.”