Data breaches – the key questions your board must ask

Data breaches have become a board-level issue for many organisations. The number of incidents only continues to grow, which is something the board must be ready to address.

So, what questions should a board be asking in order to be #BreachReady?

What personal data do we have on file?

Personal data is information that relates to an individual. It can be anything from customer contact info to an employee’s medical history, as long as the individual can be identified or identifiable, directly or indirectly, from the data you are processing. Examples include:

  • A name and surname;
  • A home address;
  • An email address such as;
  • An identification card number;
  • Location data (for example, the location data function on a mobile phone)
  • An IP address;
  • A cookie ID;
  • The advertising identifier of your phone; and
  • Data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

Do we need to appoint a DPO (data protection officer)?

A DPO is responsible for monitoring an organisation’s compliance, informing and advising on its data protection obligations and acting as a contact point for data subjects and the relevant supervisory authority.

Although all UK organisations that collect, store or process EU residents’ personal data have to comply with the GDPR (General Data Protection Regulation), not every organisation is required to appoint a DPO. Organisations must assess whether they need to appoint one and, if so, who they should give that responsibility to. There are some legal requirements that must be met – for instance, the DPO cannot have any conflicts of interest – which can prove challenging. Find more information here.

What sort of procedures should we be implementing?

It’s essential that an organisation implements the necessary procedures to give them every chance of avoiding a data breach. This can include using encrypted devices to store your data, training your staff to be more aware of the dangers of not safeguarding data, implementing software to keep data organised and even achieving certification to an industry standard such as ISO 27001, the international standard that describes the requirements for an ISMS (information security management system).

Are you ready for a breach?

Find out how prepared your organisation is for a data breach with our new quiz, which gives you a breach readiness score as well as a free personalised report on how #BreachReady you are. You’ll also get a summary of your answers with advice on what to do next to make sure you’re prepared.

Take the quiz >>