If an organisation or institution in the UK incurs a data breach where personal or private information is disclosed without authorisation or is destroyed unlawfully, it will have 72 hours to inform the Information Commissioner’s Office (ICO) of the event. Specific details, including dates, figures and facts, will be required, and those charged with data security should use this short window of time to collect and prepare all the information that will be asked of them.
Failing to report a breach inside of the 72-hour term can lead to massive fines, however, by taking onboard the information in the following sections, enterprises can ensure they are ready to comply with regulations.
Providing an initial assessment
Enterprises must outline the initial harm caused by the data leak and describe how it has impacted them. Details on how the breach was discovered and when it took place will also be required by the ICO, as well as the cause, if it is known.
Offering an analysis of impacted data
Firms will need to give information to the ICO concerning all personal data exposed in the incident. The ICO will want to know the kind of data disclosed, as well as the extent of breach. Companies will be required to provide details on how many private files have been compromised, the number of data subjects potentially impacted and the categories they are part of.
Defining the consequences
Firms must deliver a comprehensive assessment that illustrates the extent of the damage caused by the leak, and, in particular, any harm to data subjects. The assessment should encompass not just the immediate impact, but also any damaging effects that may occur in the future. If the company’s data systems that provide availability and privacy have been impacted by the event, the ICO will need to be informed of this and given an estimated time period of how long it will take for them to be fully restored.
Describing data security training
When a human mistake is responsible for a data leak, enterprises must inform the ICO if the employee involved was trained in data protection appropriately, and provide dates and details of when the training was undertaken and what it entailed.
Listing actions taken
Firms must notify the ICO of any steps taken in answer to the data breach and also state if impacted data subjects need to be informed, and if this notification process has begun.
Establishing a point of contact
Along with the name and address of the institution or organisation hit by a breach, the ICO will also require the name of the individual reporting the incident, and, if the company has one in place, the name of its dedicated Data Protection Officer (DPO).
Defending against data breaches
The secure platform from Galaxkey offers seamless protection from data breaches. With end-to-end encryption, all sensitive files and emails stored on your system will remain inaccessible to attacks, keeping you compliant with data regulators and supervisory authorities, including the ICO. Contact us today for a free 14-day trial.