Does your business have a clear plan of action when it comes to handling personal data breaches, cyber and non-cyber related.
Under the UK GDPR you have a responsibility to make sure you protect the personal data you process, that you have robust technical and organisational measures in place to handle the security of this data.
Has a move to hybrid working opened up a vulnerability that wasn’t there pre-pandemic? Are people more distracted when working from home, and therefore more susceptible to making mistakes e.g. falling for phishing scams? See our recent blog on phishing scams here for further information Don’t take the bait!
Human error equates to a large amount of breaches organisations experience, according to the Stanford University study Psychology of Human Error, 40% of people surveyed stated “…that they have sent an email to the wrong person in the last 12 months.”. According to the ICO’s Data security incident trends, “Data emailed to the wrong recipient is the most common incident type reported, making up 15% of total incidents reported across the period.”
The Stanford University study also reported that there has been an increase in the number of people not feeling comfortable reporting their mistakes (breaches) “…with 21% of employees saying they didn’t tell their IT team about the mistake – up from 16% in 2020.” Having an open reporting policy for breaches is a great way to operate, making sure colleagues are comfortable with reporting incidents is the best way to achieve improvements moving forward.
Do you have clear guidance in place:
- Is your organisation aware of the fundamentals?
- What is personal data?
- What is a data breach?
- What should they do if they discover a breach?
- How do they report a suspected/confirmed breach?
- How should they be securing the personal data they process?
Do you have a robust process:
- Do you have a designated person/team to manage the breach?
- Do you know what breaches to report to the Supervisory Authority (ICO)?
- Do you know the time constraints (deadline) in reporting to the ICO?
- Do you know in what circumstances individuals affected have to be informed?
- Do you know how to internally register breaches?
- Are your colleagues aware of this process?
- Do you test the process?
For guidance or further information on personal data breach management or any Data Protection/GDPR queries, please get in touch and we will be more than happy to discuss this further with you.