A data leak refers to a breakdown in security measures leading to either the criminal or accidental loss, change or destruction of personal data, or access without required authorisation to stored, sent or processed data of a personal nature.

The term can also be used to describe situations where either a group or single individual that is not the established data controller obtains access without acquiring the appropriate authorisation to private data like Personally Identifiable Information (PII). Furthermore, a data leak can occur when access is granted without authorisation within an organisation, or when a member of the data controller’s personnel mistakenly alters or erases a data file containing PII.

Here in the UK, when such a leak occurs, firms may be required to let the Information Commissioner’s Office (ICO) know, along with those whose PII has been exposed in the incident.

Points to remember when contacting the ICO

Companies facing a data leak should let the ICO know within one day of uncovering such an event. The notification must comprise crucial details needed by the ICO to create a record of the leak, such as the enterprise’s name, contact details, and the designated person responsible for managing oversight of the incident and acting as a point of contact. Firms reporting a data leak must also give an estimate of the time and date of when the leak was found, along with further information on the type of personal data impacted in the event.

If possible, comprehensive details of the leak should be included in the report, such as what the number of people impacted is and the potential harm for such individuals following exposure. Actions taken to negate negative consequences for data subjects, along with any communications to impacted parties, should also be included. If unavailable at the time of the initial data leak report, a second follow-up report should be made to the ICO within 72 hours of the first. All omitted details should be included in this second report, or a time scale offered of when this information will be available.

Informing affected data subjects

If a leak might potentially negatively impact a subject’s personal data, it is vital they are informed instantly. Individuals affected should be contacted and given your firm’s name and contact details. Additionally, you should give them an approximate date for the leak along with a description of the event, including the type of data disclosed and any harmful effects they may potentially suffer. Data subjects should also be informed on what actions you are taking to address the leak and steps they can personally take to avoid harm.

Total data protection

If firms are able to prove the accessed or disclosed PII involved in a data leak was indecipherable due to encryption, they do not have to inform subjects of incidents, according to the ICO. Our secure platform from Galaxkey has been engineered with powerful three-layer encryption to keep all data safe from leaks, whether it is at rest or in transit. Contact our team for a free online demonstration.