The National Cyber Security Centre (NCSC) say there are only two types of organisation: those who have been hacked and those who will be hacked. Which are you? More to the point, would you know exactly what to do to ensure your compliance with the Data Protection Act (2018), and GDPR when the day comes?
How many of your office colleagues have sent an email to an unintended recipient? You will be shocked!
Your web server is probably loaded with personal data, but a ‘personal data breach’ extends beyond the cyber attacks. Breaches come in all forms, and include the actual loss of personal data (a lost laptop, tablet, USB device, perhaps your paper diary), through to the loss of a data service which makes personal data unavailable, or the inadvertent disclosure of data, as happens all too often through email or the use of unsecured office printers. Still unsure? How many of your office colleagues have sent an email to an unintended recipient? You will be shocked.
72 Hours to React and Report!
You have just 72 hours to react, no matter whether you discovered the breach at 5:00 pm on New Year’s Eve – the clock starts ticking at that point. There’s a lot to be done, quickly. Would you know where to begin? Do you have the systems in place, and the experience to avoid a penalty?
The Advanced UK Information Governance & Data Protection team know the drill. From investigating as to the nature of the breach, through to the formal execution of the Data Protection Impact Assessment (DPIA), they can respond immediately. Remember that not running a DPIA when you are obliged to do so is a violation of GDPR which can lead to penalties of €10m or 2% of turnover, which is the higher. Worryingly, performing a DPIA incorrectly is also subject to the same penalties.
The preparation of the formal notification to the Supervisory Authorities will include the UK Information Commissioner’s Office, the ICO, but perhaps others too if you operate in multiple jurisdictions. It’s no use relying on just the ICO’s online template: this doesn’t ensure the full documentation is presented and is perhaps more likely to lead to further regulatory demands.
How will you notify the data subjects? Should you inform them? What about the media? Within your industry, there may be specific regulatory demands too: for example, solicitors need to notify the Solicitors Regulation Authority (the SRA). Your insurers may need to be put on notice and depending on the scale of the incident, perhaps also your public relations agency.
Our team will manage the process from the beginning. We will engage with your Board, and all involved parties, such as your ICT team, marketing, legal, insurers and more. They will perform the DPIA(s), draft the documentation, and provide detailed guidance which helps your organisation fulfil its legal obligations. Of equal importance, our team will advise when you don’t need to escalate the matter: contrary to much media coverage, not all data breaches need to be reported. How do you determine the threshold demands specialist advice?
As a final thought, the risk of a regulatory penalty is not the real issue: it’s mitigating the damage to your organisation’s reputation. By engaging the professionals at the outset, you minimise the risks to the organisation.
About our team
The Information Governance & Data Protection team at Advanced UK is headed by Humperdinck Jackman, a leading authority on data privacy. Humperdinck serves as the Data Protection Officer (DPO) for the world’s largest children’s charity, a large School’s Trust, and for various software corporations. He is a specialist advisor to law firms and a frequent public speaker in the field.
To arrange your free gap analysis with our team or to simply find out more about how we can support you and your business, please email us at email@example.com or call us on 01895 811 811