Interesting Articles

Personal Data Breaches

A breach involving your organisation’s personal data can have a significant effect on data subjects, your staff and your organisation (both financially through fines from the ICO and reputationally). The latest research from IBM suggests that an average cost to a UK business of a data breach is £2.9 million when taking into account immediate actions to deal with the breach and longer-term effects of a data breach, such as loss of business.

One of the key findings from the IBM report was that these costs were significantly mitigated where organisations had clear incident response planning in place and testing of these plans. Such plans allow incidents to be detected early and responded to effectively, helping to mitigate risks and provide a clear process for ongoing management of these incidents. They help staff understand:

  • How to recognise a breach
  • How to report a breach
  • Key roles and processes around managing breaches
  • When to report to the ICO and data subjects

It will also be important to consider your third parties – how clear are they about their responsibility to inform you promptly about any breaches involving your data, and are clear contracts/data processing agreements in place that document this responsibility?

And of course, prevention is always the best policy! It is difficult to completely eliminate the risk of a data breach, but by implementing effective technical and organisational measures to protect your personal data and routinely testing the security of your systems and processes, you will be in a much stronger position to both prevent and manage any breaches that may occur. This may include such measures as:

  • Encryption of personal data and devices that handle personal data
  • Enforcing multi-factor identification and strong credential requirements for profiles and passwords
  • Patching and updating software when new options are available
  • Routine vulnerability scanning of systems and annual penetration testing wherever possible
  • Minimising the data you hold to only that which is essential and holding only for as long as is needed
  • Patching and updating software when new options are available
  • Education for employees on the best way to be secure in the way that they store, share and use data

And remember, data breaches are reportable to the ICO where they pose a risk to individuals’ rights and freedoms. It will be important for you to decide whether this is the case for specific data breaches and record your decision on whether to report or not. Where there is a high risk to these rights and freedoms, then individuals affected (data subjects) must also be informed. The consequence of not reporting appropriately could lead to a significant fine of up to 10 million Euros or 2 per cent of your global turnover, therefore ensuring you have robust procedures around detection and notification of breaches will be key.