So – you’ve got your two data privacy notices in place, your data retention policy, your data protection policy, your procedures to implement the policy, and your staff are well trained. Major companies have all these and still data breaches happen. It could easily be yours too. It happens.
Preparation & Planning Prevents Poor Performance
It’s better to assume that the worst will happen, and to plan for it – especially as you don’t know how big or small the problem will be. It doesn’t take too much effort. All you need is a short Plan, to know what to do, and who is to do it. Once you’ve got the Plan, it can be put away … provided that you know where it is and can call upon it when necessary – fast.
A policy for the business
It’s important for all employees to recognise a data privacy breach when they see one – basically any loss of, damage to, misuse of, or leakage of any personal data about people. It can be anything, from accidentally giving out an individual customer’s personal phone number to somebody else, to a hacker taking your entire database.
All staff must be told – and repeatedly – that if they discover a breach, they must report it up immediately. Drop everything else and do it. Make it clear that even if they are responsible for the breach, they will make the consequences for themselves far worse if they don’t report it – and will gain credit for quick reporting.
Who takes charge?
This should all be in the Plan, and it should be someone senior – the CEO, perhaps, certainly a senior Board member. If the breach is serious, and the Information Commissioner’s Office (ICO) must be told, the business will gain credit for taking data privacy seriously if it deals with it at a senior level.
What needs doing
There are four urgent tasks: Contain the breach, and if possible recover data; Assess and record it; Notify as necessary; and Prevent it happening again. But first: …
Assemble the team
The Plan will set out who the team is: the Board member (in charge) and, depending on what has happened, any or all of: the compliance/risk director and legal adviser (both almost certainly), Data Protection officer (if there is one appointed), IT director and/or IT consultants (if the breach is a hack, for example), director marketing/media/customer relations/complaints (if publicity or complaints are likely to happen), departmental director (of the department causing the breach, if the breach is not IT), and HR director (if disciplinary action is conceivable, or if employee data has been breached).
Contain and recover
The team must identify what has happened – fast – decide whether a breach has occurred, take action to stop it, and if possible recover or delete the lost data. The team must also consider notifying the insurers.
Assess and record
The team must assess the seriousness – how sensitive is the data? Who is affected and how seriously (likely consequences to the data subjects, and can the loss be used to cause harm?). What are the likely consequences for the business (reputation, fines, business damage)? The details and results must be recorded in the data breach register.
The team needs to consider notifying the affected data subjects (if there’s a high risk to them as a result), the police, commercial partners (for example if a contract says that they must be told); and the ICO and any other relevant data protection authority (for example if the breach affects a data subject in the EEA, then an EA authority might need informing).
The ICO must be told “without undue delay and not later than 72 hours after discovery of the breach” unless the breach is unlikely to result in a risk to the data subjects’ rights and freedoms.
The Team will want to find out what security procedures were in place, and whether these were followed; consider new/revised procedures and staff awareness training. It may also consider an external risk assessment. It will update the risk register.
Planning in advance does not take a great deal of effort and can save a good deal of time and grief on the day it happens. But just as importantly, or more so, prevention is better than cure …
Give staff frequent and meaningful training on protecting data and privacy, including the need to report breaches quickly. Make it personal and practical and encourage them to practise their home IT security – backups, VPNs, proper passwords, and protecting those passwords. Staff who are personally data protection-savvy will protect your business data better.
Written by James McLeod
Principal at My Inhouse Lawyer
One of our values (Growth) is, in many ways, all about cultivating a growth mindset. We are passionate about learning, improving and evolving. We learn from each other, use the best know-how tools in the market and constantly look for ways to simplify. Lawskool is our way of sharing with you. It isn’t intended to be legal advice, rather to enlighten you to make smart business decisions day to day with the benefit of some of our insight. We hope you enjoy the experience. There are some really good ideas and tips coming from some of the best inhouse lawyers. Easy to read and practical. If there’s something you’d like us to write about or some feedback you wish to share, feel free to drop us a note. Equally, if it’s legal advice you’re after, then just give us a call on 0207 939 3959.
How it works
It starts with a conversation about you. What you want and the experience you’re looking for
We design something that works for you whether it’s monthly, flex, solo, multi-team or includes legal tech
We use Workplans to map out the work to be done and when. We are responsive and transparent
Freedom to choose & change
A responsive inhouse experience delivered via a rolling monthly engagement that can be scaled up or down by you. Monthly Workplans capture scope, timings and budget for transparency and control
A more reactive yet still responsive inhouse experience for legal and compliance needs as they arise. Our Workplans capture scope, timings and budget putting you in control
For those one-off projects such as M&A or compliance yet delivered the My Inhouse Lawyer way. We agree scope, timings and budget before each piece of work begins