When a UK company suffers a data breach and sensitive or personal information is exposed, it has a 72-hour window to report the incident to the Information Commissioner’s Office (ICO). However, this is not as simple as just contacting the ICO and stating what has occurred. Detailed information comprising facts and figures will be requested, so companies are advised to make the most of the time period before notifying the supervisory authority.
Failure to report a data leak within the 72-hour duration can result in huge fines, but by considering the following information, companies can be prepared to follow protocol and keep compliant.
The ICO will need to know the name of the organisation that has been breached along with its registered address. The name of the person making the report will be requested along with the name of the company Data Protection Officer (DPO) if it has one.
Assessment of the situation
Companies will be required to explain initial damage caused and outline how the breach has affected them. The ICO will also want to know what caused the breach and how and when it was first identified.
Analysis of affected data
The ICO will require companies to deliver details regarding any personal data that has been compromised. This will include the type of data and also the scale of the data leak. It will ask how many files have been exposed and how many data subjects could potentially be affected by the breach, as well as what categories the data subjects involved fall into.
Define the impact
A detailed assessment will be required to describe any harm cause by the breach, especially regarding damage to data subjects. This should also include any future damage that may occur. The ICO will need to know whether company information systems delivering confidentiality and availability have been affected and an estimate of the time required to restore them.
Staff awareness and training details
If a human error was at the root of the breach, companies must state if the personnel member responsible received appropriate training in data protection within two years of the incident, and provide details on training programmes employed.
Actions and preventative measures in place
Companies must inform the ICO of all actions taken, along with any further plans in place in direct response to the data breach. If it is necessary to inform affected data subjects, clients or suppliers, for example when personal data exposed was not encrypted, the ICO must be told. If action has been already taken to notify these organisations and individuals, this should also be stated in the company’s report to the ICO.
Complete protection from data breaches
To safeguard company data records at Galaxkey, we have designed a state-of-the-art security platform that ensures your confidential information is always protected. Featuring comprehensive encryption, our system can make sure your data is never left vulnerable to exposure.
Contact our dedicated team for further information and stay safe from data breaches.