Nearly half (46%) of UK businesses have recently been hit by a cyber breach or digital attack, according to the government’s Cyber Security Breaches Survey 2017.
High profile businesses to expose customer data include retailer Debenhams, mobile phone company Three - and Tesco Bank, which had to reimburse a staggering £2.5 million to more than 9,000 customers when hackers found a weakness in its mobile banking app.
In January, Carphone Warehouse was fined £400,000 by the Information Commissioner’s Office (ICO) after hackers accessed the personal data of more than three million customers and 1,000 employees. Customer data included names, addresses, phone numbers, dates of birth and marital status. More than 18,000 customers had their historical payment card details compromised.
But not all were a result of hacks. Many were due to human error, such as sending information to the wrong person or losing personal data (as was the case with Age UK).
Under GDPR, the penalties and rules are significantly tougher for companies found wanting in their data protection regimes. Companies are required to report breaches to the ICO within 72 hours of their discovery, and to the person (“data subject”) whose details are likely compromised. Here’s how to report a data breach.
How to report a data breach to the ICO
Your organisation’s designated data controller is required to report a personal data breach to the ICO no later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to compromise data subjects (and don’t take liberties with the idea of ‘unlikely’ – the ICO won’t be impressed). You’ll need to notify the ICO of:
- The nature of the breach, including the number of data subjects and personal data records concerned, plus the categories involved (i.e. addresses, bank details etc)
- The name and contact details of your Data Protection Officer (DPO)
- The potential consequences of the data breach
- The measures you have taken/propose to take to address the breach and/or mitigate its effects.
Reporting a personal data breach to the data subject
You must also alert the people whose personal data has likely been compromised. Again, you’re required to do this with undue delay - and in clear, plain language. You’ll need to let them know:
- The name and contact details of your DPO or key contact
- The likely consequences of the data breach
- What you’ve done/propose to do to address the breach or contain the situation
For ICO checklists on preparing for and responding to a personal data breach, click here.
To help organisations address GDPR requirements, Me Learning has worked alongside industry and legal professionals to develop a suite of e-learning courses. To find out how we could help you and your organisation, click here.