3 Steps to Stay Calm After A Data Breach
According to government data, 46 per cent of all UK organisations experienced at least one cyber-security breach or attack in 2017. Under the General Data Protection Regulation (GDPR), which came into play this year, your organisation is required to report certain types of personal data breaches to the relevant supervisory authority within 72 hours. Failure to report a breach could result in a fine of up to €12 million (8,803,843 GBP) or 2 per cent of your annual turnover, whichever is the highest.
With such heavy penalties, it’s essential that you follow these three steps to protect your organisation:
1. Contact the relevant authorities and inform them of a breach within 72 hours.
2. Directly contact any individuals affected by a breach if it is likely to result in a high risk to their rights and freedoms. (Note: The Information Commissioner’s Office defines a high risk as ‘the threshold for notifying individuals is greater than notifying the relevant supervisory authority’.)
3. Finally, complete a breach notification containing the following information:
· The categories and number of people affected by the breach
· The categories and number of personal data records affected by the breach
· The name and contact details of the data protection officer or an additional contact who can offer more information
· A detailed description of the breach’s potential consequences
· A detailed description of what measures your organisation has taken or will take to address the data breach
· A detailed description of the measures your organisation has taken or will take to prevent any possible adverse effects to either itself or the individuals affected.