Following the introduction of the General Data Protection Regulation last year, the Information Commissioner's Office (ICO) was slow to take action over breaches of personal data.

But the proposed fines of £183 million for British Airways and £100 million for Marriott sent a clear message that the regulator means business and that GDPR will be rigorously enforced.

Are you making personal data a board level priority? And do you know how to react if you do suffer a personal data breach?

No more weak enforcer

The fines were clearly intended to put data protection up the corporate agenda and signal the arrival of the new regulatory regime. But what does the regulator expect organisations to do in practice to minimise the risk of a breach and to respond if a breach does occur? We recently held a webinar explaining the GDPR’s data breach requirements and gave advice on how to react most effectively if a breach does occur. The main points we covered were:

Information security

The GDPR requires organisations to put in place ‘appropriate technical and organisational measures’ to protect personal data. But the regulation does not contain detailed information security standards. This means that each firm needs to decide what is ‘appropriate’ for their business. You should:

  • Carry out a risk analysis to assess the appropriate level of security to put in place
  • Have an information security policy and – critically – make sure it is fully implemented
  • Use encryption and/or pseudonymisation where appropriate – this reduces risk
  • Make sure you can restore access to personal data in the event of any incidents
  • Carry out regular testing to ensure your security measures remain effective
  • Where appropriate, implement measures that adhere to approved codes of conduct or certification mechanisms
  • Check that any third parties processing data on your behalf also implement appropriate security measures

Appropriate training

Train your people to recognise and escalate a data breach. Remember that the definition of a breach is wide and can relate to manual or electronic information. A document containing personal information left on top of the photocopier, an email sent to the wrong person, or a successful cyber attack are all examples of data breaches. Adequate training helps to establish a culture where personal data is valued and where everyone can play their part in minimising the risk of a breach and knowing what to do if a breach occurs.

If you report a breach to the ICO it will probably ask whether your staff have been trained and may want to see evidence of this.

Managing a breach

If you experience a personal data breach you will need to act quickly. Not all breaches need to be reported to the regulator, but where they do this must be done within 72 hours of discovery. You should ensure that your organisation has a robust process in place for handling and reporting a breach by:

  • Having a process for recording and escalating suspected breaches
  • Having a process for deciding whether to notify the ICO or any individuals affected - this means assessing the likely risk to individuals – e.g. financial loss
  • Keeping a record of the circumstances surrounding the breach, including:
    • The type of information that has been compromised
    • When and how you found out about the breach
    • The individuals that have been or may be affected by the breach
    • How you are going to respond to the breach
    • Preparing a breach response plan and running realistic dry-runs to test procedures

What should you do now?

No organisation can guarantee it will never have a personal data breach, but by putting in place appropriate security and breach management processes you will mitigate the risk and put yourself in the best position to handle any investigation by the regulator.

Our webinar can be viewed in full below and for further information please contact Iain Bourne.

GDPR - To notify or not to notify? Find out more
Opinion The ICO is showing its teeth Find out more