Data Protection Breaches
Discover our specialist Data Protection Breach services and get the expert legal advice and guidance you need should your business experience a breach of data. We are also here to advise on strategy and risk management to avoid data breaches and how to approach such incidents if they do arise.
Protecting your business data
We believe that prevention is better than cure when it comes to business protection. This includes ensuring that our clients have in place a data protection framework which incorporates policies and procedures that protect data and personal information. Our aim is to work with businesses to ensure they have robust policies and procedures in place to avoid or minimise the risk of data breaches. This involves businesses having a greater awareness and understanding of the data protection legislation and best practices.
Data breaches are, however, a real risk to any business and since GDPR came into effect, businesses have a requirement to report certain types of data breaches to the ICO. According to Verizon’s 2022 data breach investigation report, 82% of data breaches involve a human element, including social attacks, misuse and errors. This includes mistakes made by employees.
The financial and reputational damage that can arise as a consequence of a data breach can be enormous and devastating for any business. We can advise and assist in dealing with the process including reporting to the ICO for data breaches, if necessary. We can assist you in advising those who are affected and dealing with any subsequent fallout, and in defending any claims brought against your business for data breaches or non-compliance with GDPR.
If you need advice and guidance on data breaches, get in touch with a member of the team.
What is a personal data breach?
A personal data breach is a breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It is not just limited to personal information and can include the following types of data breaches:
- access by unauthorised third parties
- deliberate or accidental loss or damage by either a data controller or a data processor
- accidental dissemination to a third party (i.e. sending by email to the wrong email address)
- lost devices containing personal data etc.
A data breach can be accidental or unlawful.
Reporting a data breach to the ICO
We are here to guide you and reassure you if you experience a data breach. The key thing is not to panic and to seek advice where possible. Our data protection solicitors are here to help! We can assist early on and work closely with you to provide swift advice and guidance.
Not every data breach needs to be reported to the ICO. Only data breaches involving personal data are breaches under GDPR. If a data breach does need to be reported to the ICO, this needs to be done by the data controller, within 72 hours of being made aware of such a breach.
The ICO has a useful tool checklist on its website, but we would recommend you seek advice from our data protection team if you are unsure about whether you are obliged to notify the ICO.
You must have a reasonable degree of certainty that a security incident has occurred, and you do not need to report the breach if it is unlikely to result in a risk to the freedom and rights of individuals.
We can advise you on whether you are obliged to report the breach and what information the ICO may require.
The ICO has wider powers which can be exercised if necessary.
Reporting data breaches to a data subject
Should the breach involve personal data and is likely to result in a high risk to the rights and freedoms of an individual or data subject, the data controller has a legal responsibility under GDPR to inform them without undue delay to enable that individual to take any necessary action. Any such notification needs to be in plain language, and we are here to assist with this process. We can advise you on what information needs to be notified by you, and what next steps need to be taken.
Depending on the severity of the breach and the types of data sets affected, it may also be necessary to inform the ICO.
We are able to manage the consequences for you and provide the necessary advice and guidance to navigate a difficult and challenging period for your business and to aid with any reputational fallout.
What do we need to do to avoid data breaches?
We can provide guidance and strategy planning to avoid or minimise the risk of data breaches. Our data protection solutions offer guidance and key documents for this purpose including a data breach/incident management policy, as required. We also ensure the key documents are in place and advise you on the recommended procedures to strategise against risk.
Data breach avoidance is not just down to the technology and software you have in place. You need to have in place systems to underpin this which includes reliance on people, technology, processes and procedures.
Data Protection Breaches FAQs
What constitutes a data protection breach?
A data breach occurs when the personal data that you are responsible for suffers a security incident as defined above, in which unauthorised third parties gain access. This security incident or event compromises the confidentiality, availability or integrity of the personal data.
What types of data breaches exist?
There are many types of data breaches and with the reliance on technology, criminals continue to find new ways to attack businesses. The most common types of data breaches are:
- theft of information
- breach of passwords
- email compromises
- employee mistakes/negligence
- application and software vulnerabilities
What is an example of a personal data breach?
By way of a case study, Charlotte works for a company as an account manager for a software business. She is responsible for setting up new accounts which include personal data including financial data. She is asked to send an internal email for a specific account which includes a file containing personal data. However, her address book accidentally picked up an external email address and Charlotte inadvertently sent the email containing the personal data to the wrong email address.
Charlotte now must follow her company’s data breach policy and notify her line manager or whoever the policy instructs her to report to when such an incident occurs. Her company has a data protection officer who will investigate the incident and deal with the necessary reporting requirements.