A data breach is defined as a break in security that leads to the unlawful or accidental destruction, loss, alteration, unauthorised access to or exposure of personal data stored, sent or processed when connected with ‘the provision of a public electronic communication service’.
A data breach can refer to incidents where an individual or group other than the designated data controller acquires access without authorisation to personal data. However, a breach can also take place when unauthorised access is given within an enterprise or institution, or when a data controller’s staff member accidentally deletes or alters a personal data file.
When a data breach occurs in the UK, companies may need to notify the Information Commissioner’s Office (ICO) and any individuals whose personal data has been disclosed during the breach.
When and how to notify the ICO
Businesses suffering a data breach should notify the ICO inside of 24 hours of discovering an incident.
The essential details required by the ICO in the notification include the company name and contact details for the personnel member charged with overseeing the incident. Enterprises affected must also state the estimated date and time of the breach and when it was first detected. Some basic information regarding the breach should be given, including details on the nature of the personal data exposed.
Wherever possible, full details of the breach should be submitted, including how many people are affected and what the long and short-term impact of the disclosure may be on them. Any measures adopted to mitigate these harmful effects and details of customer notifications should also be listed. If such information is not instantly available, it should be included in a second notification within three days of the first completed form. The second notification should include missing details or outline the time frame of when they will be made available.
The breach notification form requiring completion is available from the ICO website and supporting documents can be attached.
When and how to notify impacted individuals
If a breach might negatively affect an individual’s personal data, they must be notified quickly without delay.
Those impacted should be informed of your company name along with how to contact you. They should also be given an estimated date for the incident and a summary of the breach, including what kind of personal data was exposed and the potential negative effects associated with this occurring. You should state what steps have been taken to address the incident and how they can personally avoid any potentially adverse effects.
Safeguarding data against a breach
If a company can demonstrate effectively that the personal data involved in a breach was made unintelligible by a security measure, such as encryption, the ICO states that individuals involved do not need to be notified of an incident.
At Galaxkey, we have built a secure platform complete with a powerful encryption option. Using a cutting-edge three-layer encryption that is easy for users to employ, we can ensure the personal data you retain is always safe from prying eyes, whether it is being sent or stored. Contact us today for a free 14-day trial.