What To Do If Customer Data Is Lost, Stolen or Destroyed

There is a growing realisation among not only security professionals but also within businesses themselves that at some point customer data will be compromised or stolen. In 2017 there were a number of high profile incidents impacting companies such as Equifax, Bupa and Uber – all reporting significant data breaches involving the compromise of personal data.

This may happen to you directly – in GDPR speak in your role as the data controller or it may happen to a third party who manages data on your behalf – the data processor. Whichever unfortunate scenario you find yourself in it’s important not to panic and understand what your obligations are under GDPR.

What is a data breach?

The GDPR definition of a data breach is very broad, many organisations may have previously worked to a narrower definition. GDPR includes the following scenarios in its examples of a data breach:

• data is accessed by an unauthorised third party
• deliberate or accidental action (or inaction) by a controller or processor
• sending personal data to an incorrect recipient
• computing devices containing personal data being lost or stolen
• alteration of personal data without permission
• loss of availability of personal data

It goes without saying that anything you can do or your data processor can do to minimise security breaches is worth considering. Ensuring you only choose trusted data processors that you’ve vetted is a good place to start; equally looking at your own internal processes and tools is worthwhile – from encrypting any hard disks to extra building security. Don’t make it easy for a breach to occur. Under GDPR the ICO expects that you will have implemented organisational and technical measures to protect customer data. You’ll need to evidence this should a breach occur.

What Should I Do If A Data Breach Has Taken Place?

Even with the best-laid plans, you find yourself in a situation where a data breach happens. With GDPR (Recital 85) it states that when a security incident takes place, you should establish whether a personal data breach has occurred and if so, take steps to address it, including telling the ICO if required.

Step 1 | Make an assessment of the risk to individuals

Your first step is to establish the ‘likelihood and severity of the resulting risk to people’s rights and freedoms’ (ICO Website). If you believe there is no or minimal impact on people’s rights and freedoms then you don’t need to notify the ICO. Be aware though that you need to be able to robustly justify your assessment so do document how and why you reached this conclusion.

What does ‘risk to rights and freedoms’ actually mean?
In simple terms you’re looking at any negative impact it can have on the individual – emotional distress and physical and material damage as opposed to something that is more an inconvenience to an individual.

GDPR (Recital 85) explains negative impact as resulting in any:

“… .physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”

For those working in healthcare – loss of confidentiality of personal data protected by professional secrecy – certainly pops out as one to be aware of.

A Note On Your Role As A Data controller (owner of the data)
As a data controller and ultimate owner of the data even if it’s a data processor that you have engaged and they have suffered the data breach and notified you it is still your responsibility to make an assessment as to whether to notify the ICO and your customers if it impacts them. On a side note: your contract with the data processor should cover breach reporting conditions.

Step 2 | Reporting The Breach

If your assessment confirms that there is a negative impact to the rights and freedoms of an individual then you need to report it to the ICO within 72 hours and without undue delay. To report a breach to the ICO click HERE | Report A Data Breach:

The breach report should include the following information:

• a description of the personal data breach including
• the categories* and approximate number of individuals concerned
• the categories* and approximate number of personal data records concerned
• your name and contact details or data protection officer if you have one
• a description of the likely consequences of the personal data breach
• a description of the measures taken or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible negative impacts

*by categories – this refers to the type of data impacted, the following lists the 3 broad classifications used and examples in each. It’s not exhaustive but gives a clear idea of the categories of data that could be involved:

• personal data categories (personal details, financial details, education and employment details, lifestyle details, visual images)
• sensitive data categories (racial ethnic origin, physical or mental health details, political opinions, religious beliefs)
• data subject categories (employee, customer, members and shareholders)

Step 3 | What Do I Tell Individuals Impacted By The Breach?

Ensure you reach out to those impacted without undue delay – so as soon as you sensibly can. This will allow the individual as much time as possible to appropriately protect themselves.

The ICO gives the following example:

“A hospital suffers a breach that results in an accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to their rights and freedoms, so they would need to be informed about the breach.”

The information to provide to individuals:

• your name and contact details or data protection officer if you have one
• a description of the likely consequences of the personal data breach
• a description of the measures taken or proposed to be taken, to deal with the personal data breach and including, where appropriate, any mitigate any possible adverse effects.

What happens if I fail to notify the ICO of a data breach?

Failure to notify the ICO of a data breach may result in a substantial fine being issued.

Anything Else I Should Do?

Once a breach has occurred perform root-cause analysis and look for any remediation steps that can be taken to prevent a similar breach re-occurring – possible additional training if human error is the cause, process step changes or further technical safeguards may be an appropriate option.

It’s only a matter of time before an incident occurs, be prepared and ensure you can respond appropriately to protect your customers and mitigate any reputational damage.

Other articles in the GDPR series you may be interested in:

Hey, I Want To See My Data

If you are struggling with GDPR Compliance and don’t know where to start Buzz Web Design & Consultancy has put together a helpful pack to get you started on the road to compliance – GDPR Compliance Pack and for those working in the private healthcare sector a GDPR Therapy Agreement.

If you are unsure about GDPR and what it might mean for your business, feel free to contact me. Contact Me