Practical knowledge Data privacy basics

5 Min

Data breach response plan: Hints and tips

Ren Watson

If you experience a data breach, time is of the essence. Firstly, you should consult with your data protection officer to confirm whether there is a reporting obligation. If it is a reportable breach as defined within the UK GDPR, you have 72 hours to inform the appropriate supervisory authority(the Information Commissioner's Office (ICO) in the UK). Our data breach response plan will guide you through the steps to take when you identify a breach. 

The most important points to consider are: 

  • Plan a clear data breach response - it saves time and effort. 
  • Identify whether it is a personal data breach and whether it is reportable. 
  • Promptly discuss possible mitigation measures with your data protection officer (DPO). 
  • Review all the steps outlined in the example process below 
  • Decide whether you need to notify the ICO. 
  • Finally, if deemed significant, notify the affected individuals. 

In this article: 

Actions to take in the event of a data breach: sample process 

If you notice or even suspect a data breach, you should act quickly – if you don’t, the consequences for your company may be extensive. Fines and reputational damage are possible outcomes. Therefore, it makes sense to follow a proven process to create your data breach response plan.  

Step 1: Contact your data protection officer 

The first point of contact in the event of a data breach is your DPO. Provide as much detail about the breach as possible so that he or she can help you assess the damage and identify the next steps. 

If your company does not have a DPO, for example, because it is not mandatory for you due to the size of the company or industry, you can get information and guidance from the ICO’s website.

We give a basic overview about a data protection officer in this blog. 

Step 2: Review the case 

The UK GDPR does not require you to report every breach. Before you decide whether the breach is reportable, you need to review the facts in detail to identify the level of risk to the rights and freedoms of the data subjects. Whilst every data breach will involve a risk, the deciding factor in whether to report it is determined by the level of that risk, for example, low, normal or high. Your data protection officer will help you assess these risks. 

Low risk

Examples of low risks include:  

  • the loss of a storage medium that contains personal data, but it is encrypted, for example, the storage is password protected. (Here you can find information about backup and data recovery)
  • a letter sent incorrectly but returned unopened to your address.  
  • the loss of an internal company list containing employees' private phone numbers. 

Normal to medium risks

Normal to medium risks include, for example, newsletters that have been sent that clearly show all recipients email addresses. Although the group of people here is usually extensive, the disclosure of e-mail addresses may be less sensitive than, for example, the forwarding of bank details. 

High risks

Personal data, such as medical diagnoses or bank details can have extensive consequences for the data subjects if viewed by third parties. Data breaches in connection with such sensitive information should be classified as "high". 

Summary: check what specific data has been lost and how many people are affected by the data breach. The more extensive the loss, sensitive the information and the larger the group of people affected, the higher the risk. 

 

Step 3: Implement mitigation plans 

As soon as you understand the situation, you should implement risk mitigation actions as best you can. For example, if you have lost access to data for internal servers, you should change the passwords immediately. If security gaps in the system allow a hacker attack to succeed, you should contact your IT specialist and eliminate the risk. 

Another useful tool to have prepared in advance in the event of a data breach is list of actions and information to collect. You can consult this in an emergency to ensure you gather the relevant details to ensure you can make the correct decisions on further preventative measures. Include the relevant people to contact in case of an emergency, for example in IT Security, so that you and your employees can react quickly in case of doubt. 

Step 4: Notify the ICO 

Where a data breach is deemed to have normal to medium risks or high risks, the ICO must be informed. You have 72 hours from the moment you become aware of the breach to notify the authority. Whilst you might not notify the authority for a low-risk breach, you should still take measures to avoid similar cases in the future.  

Tip: If you cannot respond within 72 hours for compelling reasons, you must include a justification for the delay with your notification. If this is understandable (for example, because you were busy taking countermeasures to mitigate the damage), you will generally not face additional penalties for the failure to report on time. 

A good data breach response plan will include a sample notification to the supervisory authority. In it, you should be able to enter what exactly has happened, how many people are likely to be affected, what measures will be taken and what the possible consequences are. You should also include the contact details for your DPO. 

Step 5: Notification of data subjects 

Data subjects must be informed if you have identified that there is a high risk of impact to the individual freedom or personal rights of those people affected. This could be, for example, the unauthorized disclosure of bank details or health data. 

Data subjects do not usually have to be notified if, for example, you have lost data on encrypted storage media that is not accessible to third parties. The obligation to notify data subjects may also not apply if you have prevented high risks to the rights and freedoms of individuals by implementing risk prevention measures during the breach. 

Step 6: Future considerations 

You may see alarm bells that indicate unauthorised persons are trying to access internal systems, re-evaluate the risk likelihood criteria and update the mitigation controls to further prevent this from becoming a reality.  

Identify potential data mishaps and review how you can prevent these. For example, is storage media or the data saved on it encrypted? If not, you should consider implementing such precautions.  

Do your employees know how to report an actual or suspected data leak? If there is no DPO, your company should at least have a central point of contact for security and data protection issues. This person will help you review ongoing data protection measures and implement the breach action plan when required. 

Conclusion: Mastering data breaches with confidence 

When a data breach is suspected or discovered, you must act quickly. We have created a template that includes actions to follow in the event of breach. You also have access to a qualified data protection officer who is available to advise you throughout the process. Together with the DPO, you can take preventative measures to avoid data breaches in the future and maintain your company’s reputation. Active communication of your data protection measures to your customers and partners demonstrates that your company is professional and trustworthy.  

You have further questions regarding DPO, or you're already looking for an external solution? Our experts will be happy to answer any question. Feel free to reach out for a free consultation!

Book an appointment

 
Originally published updated
whitepaper-download whitepaper-download

6 most common UK GDPR mistakes

How to avoid them?

Download your Guide
Tags Practical knowledge Data privacy basics

About the author

Ren Watson

As a results-focussed analyst, Ren has worked in many industries including finance, charity and start-ups and became interested in data protection as a focus over the last decade. Using her analyst skills alongside her data protection expertise, she has consulted with charity, media and energy companies to understand their data protection requirements and has provided guidance and support for implementation of multiple privacy programmes. Today, she provides multi-functional support and awareness within DataGuard and to clients to promote privacy beyond compliance.

Explore more articles

Don’t miss these topics:

Related Articles

From identification to mitigation: Understanding risk assessment methodology
Risk management

6 Min

From identification to mitigation: Understanding risk assessment methodology

Explore the steps and methodologies of risk assessment to manage vulnerabilities, reduce risks, and implement effective mitigation strategies for your business.

Read more
What is policy lifecycle management and why is it important?
Information security

6 Min

What is policy lifecycle management and why is it important?

Effective policy lifecycle management ensures compliance, improves communication, and streamlines updates for continuous improvement and risk reduction.

Read more
How to perform a privacy impact assessment: a step-by-step guide
GDPR

5 Min

How to perform a privacy impact assessment: a step-by-step guide

Learn the essentials of conducting a privacy impact assessment to identify and mitigate data risks, comply with GDPR, and enhance trust and security.

Read more
The benefits of using a risk management framework for risk mitigation
Risk management

5 Min

The benefits of using a risk management framework for risk mitigation

Discover how a risk management framework identifies, prioritises, and mitigates risks to support compliance, resilience, and informed decisions.

Read more
Is it time to KISS GDPR? 5 key takeaways from #RISK London
GDPR

7 Min

Is it time to KISS GDPR? 5 key takeaways from #RISK London

Discover 5 key takeaways from #RISK London on simplifying GDPR with the KISS principle. Learn how to streamline compliance and make privacy management easier without compromising security.

Read more
Why every business needs a data loss prevention strategy
Information security

6 Min

Why every business needs a data loss prevention strategy

Implementing a DLP strategy protects sensitive data, ensures compliance, and avoids costly breaches. Learn key steps and best practices for effective DLP.

Read more

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Transparent consent collection
  • Comply with GDPR, CCPA, LGPD, ePrivacy, and more
  • Consolidate consents across multiple touchpoints
  • Support from privacy experts
  • Integrates with your marketing tools and CRM

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon Logo Contact Hyatt Logo Contact Holiday Inn Logo Contact Unicef Logo Contact Veganz Logo Contact Burger King Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line Logo Contact

Let's talk