What To Do If Customer Data Is Lost, Stolen or Destroyed

There is a growing realisation among not only security professionals but also within businesses themselves that at some point customer data will be compromised or stolen. In 2017 there were a number of high profile incidents impacting companies such as Equifax, Bupa and Uber – all reporting significant data breaches involving the compromise of personal data.

This may happen to you directly – in GDPR speak in your role as the data controller or it may happen to a third party who manages data on your behalf – the data processor. Whichever unfortunate scenario you find yourself in it’s important not to panic and understand what your obligations are under GDPR.

What is a data breach?

The GDPR definition of a data breach is very broad, many organisations may have previously worked to a narrower definition. GDPR includes the following scenarios in its examples of a data breach:

  • data is accessed by an unauthorised third party
  • deliberate or accidental action (or inaction) by a controller or processor
  • sending personal data to an incorrect recipient
  • computing devices containing personal data being lost or stolen
  • alteration of personal data without permission
  • loss of availability of personal data

It goes without saying that anything you can do or your data processor can do to minimise security breaches is worth considering. Ensuring you only choose trusted data processors that you’ve vetted is a good place to start; equally looking at your own internal processes and tools is worthwhile – from encrypting any hard disks to extra building security. Don’t make it easy for a breach to occur. Under GDPR the ICO expects that you will have implemented organisational and technical measures to protect customer data. You’ll need to evidence this should a breach occur.

What Should I Do If A Data Breach Has Taken Place?

Even with the best-laid plans, you find yourself in a situation where a data breach happens. With GDPR (Recital 85) it states that when a security incident takes place, you should establish whether a personal data breach has occurred and if so, take steps to address it, including telling the ICO if required.

Step 1 | Make an assessment of the risk to individuals

Your first step is to establish the ‘likelihood and severity of the resulting risk to people’s rights and freedoms’ (ICO Website). If you believe there is no or minimal impact on people’s rights and freedoms then you don’t need to notify the ICO. Be aware though that you need to be able to robustly justify your assessment so do document how and why you reached this conclusion.

What does ‘risk to rights and freedoms’ actually mean?
In simple terms you’re looking at any negative impact it can have on the individual – emotional distress and physical and material damage as opposed to something that is more an inconvenience to an individual.

GDPR (Recital 85) explains negative impact as resulting in any:

“… .physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”

For those working in healthcare – loss of confidentiality of personal data protected by professional secrecy – certainly pops out as one to be aware of.

A Note On Your Role As A Data controller (owner of the data)
As a data controller and ultimate owner of the data even if it’s a data processor that you have engaged and they have suffered the data breach and notified you it is still your responsibility to make an assessment as to whether to notify the ICO and your customers if it impacts them. On a side note: your contract with the data processor should cover breach reporting conditions.

Step 2 | Reporting The Breach

If your assessment confirms that there is a negative impact to the rights and freedoms of an individual then you need to report it to the ICO within 72 hours and without undue delay. To report a breach to the ICO click HERE | Report A Data Breach:

The breach report should include the following information:

  • a description of the personal data breach including
  • the categories* and approximate number of individuals concerned
  • the categories* and approximate number of personal data records concerned
  • your name and contact details or data protection officer if you have one
  • a description of the likely consequences of the personal data breach
  • a description of the measures taken or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible negative impacts

*by categories – this refers to the type of data impacted, the following lists the 3 broad classifications used and examples in each. It’s not exhaustive but gives a clear idea of the categories of data that could be involved:

  • personal data categories (personal details, financial details, education and employment details, lifestyle details, visual images)
  • sensitive data categories (racial ethnic origin, physical or mental health details, political opinions, religious beliefs)
  • data subject categories (employee, customer, members and shareholders)

Step 3 | What Do I Tell Individuals Impacted By The Breach?

Ensure you reach out to those impacted without undue delay – so as soon as you sensibly can. This will allow the individual as much time as possible to appropriately protect themselves.

The ICO gives the following example:

“A hospital suffers a breach that results in an accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to their rights and freedoms, so they would need to be informed about the breach.”

The information to provide to individuals:

  • your name and contact details or data protection officer if you have one
  • a description of the likely consequences of the personal data breach
  • a description of the measures taken or proposed to be taken, to deal with the personal data breach and including, where appropriate, any mitigate any possible adverse effects.

What happens if I fail to notify the ICO of a data breach?

Failure to notify the ICO of a data breach may result in a substantial fine being issued.

Anything Else I Should Do?

Once a breach has occurred perform root-cause analysis and look for any remediation steps that can be taken to prevent a similar breach re-occurring – possible additional training if human error is the cause, process step changes or further technical safeguards may be an appropriate option.

It’s only a matter of time before an incident occurs, be prepared and ensure you can respond appropriately to protect your customers and mitigate any reputational damage.


Other articles in the GDPR series you may be interested in:

Hey, I Want To See My Data


If you are struggling with GDPR Compliance and don’t know where to start Buzz Web Design & Consultancy has put together a helpful pack to get you started on the road to compliance – GDPR Compliance Pack and for those working in the private healthcare sector a GDPR Therapy Agreement.


If you are unsure about GDPR and what it might mean for your business, feel free to contact me. Contact Me


Buzz Web Design and Consultancy

 

Posted in ,

Shop For Products

Subscribe For Latest Updates

Our newsletter is filled with news, resources and insights. Check our Privacy Policy for how we protect and manage your submitted data.

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.

Free E-Book 5 Things To Fix On Your Website In The Next Week To Increase Leads

Stop wasting time on the Internet!

Like most business owners, you are probably distracted and overwhelmed by the possibilities of doing business online.

It is also true that most of us fail dismally in our online ventures. So here are five things you can do in the next week to get the needle moving in the right direction.

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.
5-Things-To-Do-On-your-Website-to-increase-leads

More From The Buzz Blog

website-nightmares

What are the tell-tale signs of having a website nightmare?

Commons signs you're having a nightmare with your website. You're just getting enough clients When you ask people how they...
rock-paraplanning-business-card-mockup

Branding, Website and Marketing For Rock Paraplanning

Hot off the press Buzz Web Design and Consultancy have just completed delivering a branding, website design and marketing service...
Gutenberg-Image-Printing-Blocks

Gutenberg – A New Editor For WordPress

A New Editor For Wordpress Is Due To Land If you use Wordpress for your website and regularly write pages...

Subscribe

Buzz Web Design and Consultancy

Subscribe for Latest updates

Our newsletter is filled with news, resources and insights. Check our Privacy Policy for how we protect and manage your submitted data.

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.

Leave a Comment