Responding to a personal data breach

Posted on 15th July 2024 by Streets - Business Support

The Information Commissioner’s Office has a simple guide that explains what you need to do in the 72 hours following a data breach.

The seven step approach advocated is set out below:

Step one: Don’t panic

It’s understandable if you’re concerned about what happens next. But we’re here to help you understand what happened and to prevent it happening again.

Step two: Start the timer

By law, you've got to report a personal data breach to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours.

Step three: Find out what’s happened

Pull the facts together as quickly as possible.

Step four: Try to contain the breach

Your priority is to establish what has happened to the personal data affected. If you can recover the data, do so immediately. Also, you should do whatever you can to protect those who will be most impacted.

Step five: Assess the risk

You should now assess what you feel the risk of harm is to those affected, whether that’s your customers, members or service users.

Step six: If necessary, act to protect those affected

If possible, you should give specific and clear advice to people on the steps they can take to protect themselves, and what you’re willing to do to help them. If you don’t think there’s a high risk to the people involved, you don’t have to let them know about the incident.

Step seven: Submit your report (if needed)

If the breach is reportable, you can report it online.

The ICO have a help line you could call, 0303 123 1113, or view online advice at https://ico.org.uk/for-organisations/advice-for-small-organisations/72-hours-how-to-respond-to-a-personal-data-breach/.

No Advice

The content produced and presented by Streets is for general guidance and informational purposes only. It should not be construed as legal, tax, investment, financial or other advice. Furthermore, it should not be considered a recommendation or an offer to sell, or a solicitation of any offer to buy any securities or other form of financial asset. The information provided by Streets is of a general nature and is not specific for any individual or entity. Appropriate and tailored advice or independent research should be obtained before making any such decisions. Streets does not accept any liability for any loss or damage which is incurred from you acting or not acting as a result of obtaining Streets' visual or audible content.

Information

The content used by Streets has been obtained from or is based on sources that we believe to be accurate and reliable. Although reasonable care has been taken in gathering the necessary information, we cannot guarantee the accuracy or completeness of any information we publish and we accept no liability for any errors or omissions in material. You should always seek specific advice prior to making any investment, legal or tax decisions.