With 43% of businesses already having suffered a breach or attack, it’s vital that you know the steps you need to take to report a breach.
Under the GDPR (General Data Protection Regulation), certain types of data breach must be reported to the ICO (Information Commissioner’s Office) within 72 hours of becoming aware of them.
You should provide as much information as you can about the breach, based on the following steps:
You need to give the ICO information about what happened, what went wrong and how it happened. It is also important to include when the breach occurred and when you discovered it.
Assess the data affected
What personal data has been affected and how many records have been breached?
Article 30 of the GDPR requires data controllers and processors to maintain written records of their processing activities, which must be made available to the ICO on request.
Describe the impact
As accurately as you can, describe the impact that the breach may have on the data subjects and if they will experience any consequences as a result.
Report on staff training and awareness
You will need to tell the ICO whether the staff member involved in the breach had received data protection training in the last two years.
Preventive measures and taking action
Describe the actions you took or propose to take as a result of the breach. You should also state whether you have informed the data subjects of the breach and if you have told or are planning to tell any other organisation.
The ICO will need to know the names of the data controller, the person making the report, and the data protection officer or person responsible for data protection in your organisation, as well as the organisation’s registered address.
The Data Breach Survival Guide
To find out more about how to report a breach and get your organisation #BreachReady, take a look at our new guide, The Data Breach Survival Guide. This guide goes through each step in depth, as well as explaining how you can prepare for a breach and protect your organisation.