Standard Contractual Clauses (SCCs) for data transfers

August 21, 2023

EU-US Data Privacy Framework: 3rd time lucky?

September 18, 2023

Data breach management: 5 tips for an effective response

September 4, 2023

Cyber vs non-cyber breaches: What’s the difference?

Some of the biggest personal dataInformation which relates to an identified or identifiable natural person. breaches in recent history have involved cyber-attacks on organisations by malicious third parties. A significant example is Yahoo’s breach, which involved 3 billion user accounts, and was reportedly initiated by a spear-phishing email.

However, according to the UK’s Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).), non-cyber incidents account for the highest number of reported breaches in total.

A non-cyber breach is also known as a physical or offline breach. These happen through physical means and usually involve human error. Between October and December 2022, 75% of reported UK personal data breaches were classified as non-cyber, with “data emailed to the wrong recipient” cited as the leading cause, accounting for 19% of the incidents.
See the ICO data security incident trend report on Q4 2022

Data breach management best practices

No matter the organisation size or industry sector, proactive steps need to be taken to prevent a data breach. A robust plan offers more than simply avoiding data breach penalties. It allows organisations to respond swiftly and provides the following important advantages:

Builds customer trust
Preserves brand reputation
Strengthens partnerships
Mitigates business disruption
Gives stakeholders peace of mind

In today’s digital world, data breaches are an unfortunate reality. By having a comprehensive plan and well-prepared staff, organisations can minimise the impacts of potential attacks, and demonstrate a commitment to safeguarding their customers’ information.

Pippa Scotcher, Data Protection Officer from The DPO Centre has conducted many compliance audits for companies, offering practical advice and guidance for updating processes and frameworks:

“Organisations must ensure they have a tried and tested breach responseAn organisation's procedure or approach for recording, investigating, containing and mitigating a personal data breach. procedureAn approved and established way of completing a certain task. in place to mitigate against the potentially significant effects of both cyber and non-cyber data breaches. Doing so enables organisations to act quickly to contain and remediate a breach, which ultimately reduces the likely damage caused to the organisation and affected individuals.”

Larger organisations usually have dedicated breach teams and support for ongoing data security training. But smaller businesses, especially self-employed individuals, can face unique challenges due to a lack of resources.

For UK businesses, see the Information Commissioner’s Office (ICO) data protection guides for small organisations
In the EU, the European Data Protection Board (EDPB) offers a data protection guide for small businesses

5 tips for an effective data breach response

Tip 1: Establish a data breach response team

This can be a single person or a group, who will manage security incidents. Time is of the essence when responding to a breach and having a dedicated response team plays a vital role in minimising any impact, whilst safeguarding sensitive information. Ideally this person, or team, should have a solid understanding of the data protection considerations alongside any immediate technical mitigation.

Tip 2: Review your data processing activities

Understanding how and where your organisation processes personal data, along with existing security measures in place, helps identify potential weaknesses and highlights any breach risks. Regular reviews should be part of your overall plan. They will allow you to make informed decisions on how best to allocate resources to strengthen your organisation’s data protection efforts.

Creating an Information Asset RegisterA record of information assets (including personal data and special category data), detailing their specific attributes (such as their owner, retention period, storage location, disposal instructions etc.), conducting data mapping exercises, and building a Record of Processing Activities (RoPA) can all help with this processA series of actions or steps taken in order to achieve a particular end.. In addition, undertaking Data Protection Impact Assessments (DPIAs) on high risk processing activities ensures particular focus on processes where the impact of a data breach is likely to be more significant.

Tip 3: Develop a data breach response plan

As detailed in the previous section, a data breach response plan is essential. A risk assessment will identify areas of weakness, but a robust data breach response plan ensures staff are well-prepared if a breach does occur.

The specific details of a plan will vary from company to company and depend upon organisation size, industry sector and specific data handling practices. In general, data breach response plans should include:

Details of the data breach response team
Breach identification and internal reporting and logging procedures
Legal and regulatory procedures
Breach containment and mitigation
External support resources
Breach risk assessment framework
Post-breach review procedures
Training and awareness requirements

Tip 4: Monitor for suspicious activity and anomalies

This is an important ongoing strategy for identifying any potential breaches. Early intervention can reduce the damage caused by cyberattacks or personal data security incidents. Regularly updating and monitoring internal processes based on any emerging threats and best practices is ideal. Here are some measures to consider:

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
Analyse web application logs for suspicious activities such as multiple login failures
Conduct regular data protection security audits
Conduct regular data protection refresher courses for all staff

Tip 5: Build a data protection culture

Prevention is always better than cure, and this is never truer than for data breaches. Having a company culture with in-built data protection awareness and knowledge is perhaps one of the key factors in preventing a data breach. As the ICO figures show, the highest number of breaches are non-cyber, and of those, sending an email to the wrong recipient is the most probable cause of a data breach. Ongoing staff awareness and training is a crucial foundation for building a strong data protection company culture.

Summary

Data breaches are an unfortunate reality in today’s digital world. However, by having a comprehensive data breach management plan in place, organisations of all sizes can minimise the impacts of potential attacks and demonstrate a commitment to safeguarding information.

By following these 5 tips and implementing a step-by-step plan, organisations can protect personal information, strengthen data security and ensure the trust and confidence of stakeholders and customer alike. Proactive measures and timely responses are the key for effective data breach management.

For more advice or to discuss a specific data protection requirement, please complete the form below and we will be in touch.

For more news and insights about data protection and The DPO Centre, follow us on LinkedIn

In case you missed it…

See our previous blogs with additional information about data breaches:

Enquire

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us

Email Call