Data breach management: 5 tips for an effective response

Some of the biggest personal dataInformation which relates to an identified or identifiable natural person. breaches in recent history have involved cyber-attacks on organisations by malicious third parties. A significant example is Yahoo’s breach, which involved 3 billion user accounts, and was reportedly initiated by a spear-phishing email.

These types of breaches make headline news, and cyber security is certainly crucial for any organisation processing personal data. However, according to the UK’s Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.), non-cyber incidents account for the highest number of reported breaches in total, which means organisations need to have a well-rounded approach when it comes to data breach management. Both cyber and non-cyber incidents need to be considered.

A non-cyber breach is also known as a physical or offline breach. These happen through physical means and usually involve human error. Between October and December 2022, 75% of reported UK personal data breaches were classified as non-cyber, with “data emailed to the wrong recipient” cited as the leading cause, accounting for 19% of the incidents.

See the ICO data security incident trend report on Q4 2022.

Integrity and confidentialityThe sixth GDPR principle, also know as the security principle. This requires organisations to implement the appropriate security measures to protect personal data. (security) is one of the founding principles of the GDPR

Security is a fundamental aspect of data protection. Any organisation processing the personal data of EU and/or UK residents must adhere to the respective GDPR and UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. regulations and implement appropriate technical and organisational safeguarding measures. Having a strong plan in place to prevent and respond to breaches is essential for good data protection governance.

Having an effective data breach responseAn organisation's procedure or approach for recording, investigating, containing and mitigating a personal data breach. plan

No matter the organisation size or industry sector, proactive steps need to be taken to prevent a data breach. A robust plan offers more than simply avoiding data breach penalties. It allows organisations to respond swiftly and provides the following important advantages:

• Builds customer trust
• Preserves brand reputation
• Strengthens partnerships
• Mitigates business disruption
• Gives stakeholders peace of mind

In today’s digital world, data breaches are an unfortunate reality. By having a comprehensive plan and well-prepared staff, organisations can minimise the impacts of potential attacks, and demonstrate a commitment to safeguarding their customers’ information.

Pippa Scotcher, Data Protection Officer from The DPO Centre has conducted many compliance audits for companies, offering practical advice and guidance for updating processes and frameworks:

“Organisations must ensure they have a tried and tested breach response procedureAn approved and established way of completing a certain task. in place to mitigate against the potentially significant effects of both cyber and non-cyber data breaches. Doing so enables organisations to act quickly to contain and remediate a breach, which ultimately reduces the likely damage caused to the organisation and affected individuals.”

What does effective data breach management look like?

The key to successfully mitigating a data breach is being prepared. Here are 5 useful tips for best practice data breach management:

Tip 1: Establish a data breach response team

This can be a single person or a group, who will manage security incidents. Time is of the essence when responding to a breach and having a dedicated response team plays a vital role in minimising any impact, whilst safeguarding sensitive information. Ideally this person, or team, should have a solid understanding of the data protection considerations alongside any immediate technical mitigation.

Tip 2: Review your data processing activities

Understanding how and where your organisation processes personal data, along with existing security measures in place, helps identify potential weaknesses and highlights any breach risks. Regular reviews should be part of your overall plan. They will allow you to make informed decisions on how best to allocate resources to strengthen your organisation’s data protection efforts.

Creating an Information Asset RegisterA record of information assets (including personal data and special category data), detailing their specific attributes (such as their owner, retention period, storage location, disposal instructions etc.), conducting data mapping exercises, and building a Record of Processing Activities (RoPA) can all help with this processA series of actions or steps taken in order to achieve a particular end.. In addition, undertaking Data Protection Impact Assessments (DPIAs) on high risk processing activities ensures particular focus on processes where the impact of a data breach is likely to be more significant.

Tip 3: Develop a data breach response plan

As detailed in the previous section, a data breach response plan is essential. A risk assessment will identify areas of weakness, but a robust data breach response plan ensures staff are well-prepared if a breach does occur.

The specific details of a plan will vary from company to company and depend upon organisation size, industry sector and specific data handling practices. In general, data breach response plans should include:

• Details of the data breach response team
• Breach identification and internal reporting and logging procedures
• Legal and regulatory procedures
• Breach containment and mitigation
• External support resources
• Breach risk assessment framework
• Post-breach review procedures
• Training and awareness requirements

Tip 4: Monitor for suspicious activity and anomalies

This is an important ongoing strategy for identifying any potential breaches. Early intervention can reduce the damage caused by cyberattacks or personal data security incidents. Regularly updating and monitoring internal processes based on any emerging threats and best practices is ideal. Here are some measures to consider:

• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
• Analyse web application logs for suspicious activities such as multiple login failures
• Conduct regular data protection security audits
• Conduct regular data protection refresher courses for all staff

Tip 5: Build a data protection culture

Prevention is always better than cure, and this is never truer than for data breaches. Having a company culture with in-built data protection awareness and knowledge is perhaps one of the key factors in preventing a data breach. As the ICO figures show, the highest number of breaches are non-cyber, and of those, sending an email to the wrong recipient is the most probable cause of a data breach. Ongoing staff awareness and training is a crucial foundation for building a strong data protection company culture.

Conclusion

Data breaches are an unfortunate reality in today’s digital world. However, by having a comprehensive data breach management plan in place, organisations can minimise the impacts of potential attacks and demonstrate a commitment to safeguarding information. By following these tips, organisations can be better prepared to prevent and respond to personal data breaches, protecting their personal information and their own reputation.

For more advice or to discuss a specific data protection requirement, please complete the form below and we will be in touch.

For more news and insights about data protection and The DPO Centre, follow us on LinkedIn

In case you missed it…

See our previous blogs with additional information about data breaches:

• Data breaches – prevention is better than cure
• Bcc vs cc – bulk email practices explained
• The 5 things you need to know about data protection