Data protection breaches are a risk to any business that’s responsible for handling people’s personal data. This includes employees’ as well as members of the public, although the more data that’s processed, the greater the risk. You may have seen some high profile data breaches in the news, such as the MOVEit hack that targeted payroll information or the breach of Capita outsourcers.
In this blog, we’ll discuss what is defined by a breach of data protection, different scenarios, and what you should do to prevent one.
Data protection explained
In the UK, businesses must follow General Data Protection Regulation as outlined in The Data Protection Act 2018. The law aims to ensure the fair, lawful and transparent of use personal information. It also states that data must be:
- Kept accurate up to date.
- Handled according to the appropriate level of security to prevent unauthorised or unlawful damage, loss, and access.
- Used for an explicit purpose.
- Only be used for what is necessary, relevant and adequate.
- Kept only for the period of time it is required.
For a majority of UK businesses, cyber security compliance therefore means putting measures in place to uphold data protection. This can include restricting employee access, backing up data, and having recovery plans in place. Complying with GDPR also means using personal data safely on a day-to-day basis. As a result, it often has a bigger impact on businesses that regularly collect user data such as those with ecommerce sites.
What is a breach of data protection?
Under GDPR, a personal data breach is defined as ‘any security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. While this encompasses many scenarios, personal data breaches can be grouped into the following categories:
- Availability – access to personal data has been lost. This can be through accident or as a result of a targeted cyber-attack. Destruction of personal data, whether alongside its theft or not, can also be categorised as an availability breach.
- Confidentiality – access to data has been granted to individuals that it shouldn’t have been. Unauthorised disclosure can happen through many channels, such as email, phone, writing, or in person.
- Integrity – personal data has been altered without authorisation or by accident.
The sensitivity of the affected data can impact the severity of the breach and the response that’s warranted. For example, a patient’s leaked medical history has more explicit potential to cause damage than their contact information. These types of records are a common example of confidentiality data protection breaches.
What constitutes ‘personal data’?
The nature of personal data has undergone changes over time. Nowadays, there is far more scope for what information can be used to identify an individual. Account numbers, dates of birth, addresses, and ID numbers are still considered personal information. However, businesses should also be wary of how they process data that reveals someone’s economic, social, cultural, mental, or even genetic information. Of course, certain industries are more likely to deal with certain types of personal data than others.
What do I do following a data protection breach?
UK organisations are obligated to report the breach to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. For those in England, this can be done using the Data Security and Protection Reporting Tool, or the ICO breach reporting tool in Wales, Scotland, and Northern Ireland. In both cases though, this is only necessary when a breach poses a ‘risk to the rights and freedoms of individuals’.
You can choose to assess the severity of a data protection breach yourself or enlist cyber security consultancy services. Due to the financial and reputational damage data protection breaches can cause, it’s often recommended to get professional help from digital security consultants like CyberWhite. Our digital forensics can make sure your infrastructure is compliant with GDPR and minimises the risk of a breach.
Submitting a breach notification report
A breach notification report should include:
- A detailed account of the breach containing the estimated number of individuals and personal data records affected.
- Contact information for the Data Protection Officer (DPO) or other qualified point of contact.
- Descriptions of the measures put in place by the business to prevent a personal data breach. A report can feature measures that were proposed but not yet implemented at the time of the breach.
- Description of the data breach’s most likely consequences, including any instances of mitigation.
Organisations that fail to notify the ICO of a data protection breach can face a large administrative fine. The penalty can be significantly higher than breaching the Data Protection Act, with fines potentially reaching £8.7 million or 2% of the business’s annual turnover.
Expert cyber security support
Everyone at CyberWhite is committed to technology solutions to make businesses more cyber secure. To this end, many of our data security solutions can be utilised to identify data protection risks and prevent breaches. We follow official guidelines, best practices, and established standards. For instance, our team ensures your regulatory compliance by assessing risks based on the National Institute of Standards and technology (NIST). Contact us today.