Guest article: top five things to do to prepare for a cyber/data breach
Author: Debbie Venn, Partner, DMH Stallard LLP
Cyber and data breaches have become part of our daily lives; from unencrypted USB sticks in car parks, to large-scale breaches such as Cambridge Analytica or British Airways. Businesses need to have a grip on measures they have in place to keep data secure (including personal data and confidential information), to protect this valuable asset and comply with the law.
The introduction of the General Data Protection Regulations 2016 (GDPR) and Data Protection Act 2018 (DPA) mean that businesses now need to demonstrate their compliance and take appropriate technical and organisational measures in order to keep personal data secure.
If you are a data controller (i.e. determining how personal data is processed) then this obligation includes reporting data breaches to the UK Information Commissioner’s Office (“ICO”), within 72 hours of discovering a breach. Data processors (who take their instructions from data controllers) need to notify the data controllers who they process personal data on behalf of, about any data breaches without undue delay from discovering a breach. The laws also require a data controller to notify data subjects about a data breach if the data breach causes high risk to the data subjects rights. Failure to notify can lead to enforcement action from the ICO and/or a fine, as well as compensation being payable to data subjects.
What can I do to plan?
Internal processes: You should have a process in place that requires data breaches to be analysed and assessed to see if a security breach leads to the accidental and unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. If so, then such a breach is likely to be reportable to the ICO (and potentially data subjects).
Data breach policy: You should have a Data Breach Policy in place, which records the internal escalation process for raising awareness of a data breach at the earliest opportunity, so that the impact of the breach can be minimised and managed quickly.
Five tops tips
- Conduct an audit of your systems and identify areas of vulnerability to put further protective measures in place.
- Where your systems are controlled by third parties make sure you have a data processing agreement in place with a process for dealing with data breach notifications and management.
- Consider whether you need to notify your insurers of any personal data breaches.
- Give guidance and training on systems and policies relating to data protection and what to do in the event of a cyber breach.
- Keep under review and learn for future precaution measures and update internal policies as may be needed and communicate.
Debbie Venn will be speaking at ABTA’s Cyber and Data Breach Management in Travel seminar on 5 February in central London. Attend to get further guidance and hear from other speakers including ABTA, National Cyber Security Centre, Experian, TUI and more. To view the agenda and register your place visit abta.com/abtaevents.