Tomorrow is National Security Day in the US, which is a day to raise awareness about cybersecurity issues and help people maintain online security. According to the UK Government’s Cyber Security Breaches 2021 Survey, 39% of UK businesses reported having cybersecurity breaches or attacks in the last 12 months. Of those 39%, one fifth suffered the loss of money, data or other assets as a consequence, and one third reported being negatively impacted in some way (eg from general business disruption).
Given the prevalence of cybersecurity breaches across the business sector, we’re taking the opportunity today to discuss the importance of cybersecurity in the context of data protection. This is an important issue because if your business experiences a cybersecurity attack, you run the risk of personal data you’re storing being compromised. If a personal data breach does occur, it’s crucial that you understand what legal obligations you’re under and that you know how to respond. We’ve set out some tips and resources in this blog to get you started.
Personal data breaches
A personal data breach is a security breach leading to the accidental or illegal destruction, loss, alteration or unauthorised disclosure of personal data. Inevitably, if your business is the victim of a cyber attack, you may well face the possibility of a personal data breach.
Your responsibilities when you experience a data breach
You are required under data protection law to ensure that any personal data your business processes is stored securely. This means putting in place appropriate security processes and policies, and ensuring that your staff are properly trained in data security measures.
If your business is a data controller and a personal data breach occurs (whether as a result of a cyber attack or otherwise), you should carry out a risk assessment. You can find more guidance on how to determine if your business is a data controller, and how to carry out a risk assessment, below. If you identify a likely risk to the individuals whose data is involved, you must notify the ICO within 72 hours of becoming aware of the breach. If the breach is highly likely to put their rights and freedoms at risk, then you must also notify the individuals concerned as soon as possible. In all cases, you must keep a record of the breach and your decision-making so that you can justify it later, if required.
In serious cases, failure to meet your obligations to either notify the ICO or to keep written records of breaches, can lead to fines of up to £8.7 million, or 2% of your global annual turnover (whichever is higher). Failure to comply with your data protection obligations more generally (eg to keep personal data secure) can lead to fines of up to £17.5 million or 4% of your global annual turnover.
Steps to take when a breach occurs
As set out above, it’s really important to know how to handle personal data breaches because in most cases you need to take action as soon as possible. If a cyber attack occurs which puts the confidentiality, availability or integrity of personal data you hold at risk, it’s therefore a good idea to treat it as a personal data breach until you have gathered more information.
It is recommended that you take the following steps when a data breach occurs:
1. Take practical steps to contain the breach and recover any lost data
Your first priority should be containment and recovery (eg blocking activity or resetting accounts). To minimise any risks to either your business or individuals it’s important to respond quickly, so make sure your staff are fully trained to both identify potential data breaches and follow your internal reporting procedures. To put in place an internal policy for your staff, use our template Personal data breach policy. This can also be found in our Data breach toolkit.
2. Identify whether any personal data is affected
Personal data includes any information that would allow an individual to be identified, including their name, address, date of birth, username, IP address etc. If the data breach does not affect personal data, you’re not under the same legal obligations to either notify the ICO or affected individuals, or to keep written records. However, it is often advisable to do so, particularly if the breach is sufficiently serious.
3. Consider whether you’re a data controller or a data processor
If your business is simply acting as a data processor in respect of the personal data affected (ie you’re acting on the instructions of a data controller), you’re not under the same legal obligations (eg to notify the ICO). However, you must notify the data controller about the data breach as soon as possible. You should also review your data processing agreement with the data controller to see if you’re under any further obligations.
If your business is a data controller (ie you decide how and why the personal data is being processed), you should carry out the remainder of these steps.
4. Assess the risk the breach potentially carries to individuals
The ICO has a self-assessment tool to help you. You will need to consider a variety of factors, including the type of breach, the nature and sensitivity of affected data and the severity of the potential consequences for affected individuals. Our Q&A has further details to guide you.
In most cases, unless a breach leads to a temporary loss of access to data which causes inconvenience but ultimately doesn’t result in loss or damage to any personal data, it’s likely that there will be at least some potential risk to individuals.
5. Make necessary notifications
As set out above, if you determine that the personal data breach likely carries some risk to individuals, you must notify the ICO as soon as possible, and within 72 hours.
If you determine that the personal data breach carries a high risk to the rights and freedoms of individuals, then in most circumstances you must inform the individuals who have been affected in writing as soon as possible. You can use this template letter, which can also be found in our Data breach toolkit. There are some limited exceptions to this notification requirement, which you can read in our Q&A.
6. Keep a written record of the breach
Regardless of whether you have had to notify the ICO or affected individuals, you should keep a written record of all personal data breaches that have occurred in your business. This will help you to demonstrate that you have complied with your data protection obligations. For a template you can use for your internal records, see our Template personal data breach register. This can also be found in our Data breach toolkit.
To check off each step as you go, use our checklist for responding to a data breach.
Preventing personal data breaches
You are legally required to store any personal data that your business processes securely at all times. As you are likely to store much of this personal data electronically, this means putting in place appropriate cybersecurity measures. There are various steps you should consider taking, and what will be appropriate will depend on the nature and context of your business and its data processing activities. For further guidance about suggested security measures, see our Q&A on Secure data storage.
Before joining Sparqa Legal as a Senior Legal Editor in 2017, Frankie spent five years training and practising as a corporate disputes and investigations lawyer at leading international law firm Hogan Lovells. As legal insights lead, Frankie regularly contributes to Sparqa Legal’s blog, writing content across employment law, data protection, disputes and more.