In this day and age, it’s not if you suffer a data breach, but when. The average cost of a data breach is estimated at £2.53 million, and, to date, the ICO has issued penalties to organisations amounting to more than £6 million because of their poor information security practices.
Getting your systems up to scratch, and following this through to your staff, processes and technology, will help make your organisation as robust as it can be.
The ICO and the GDPR: what to do if breached
But if your organisation is breached – and this is still possible even with the toughest of systems – you need to take a number of steps immediately:
- Notify the ICO
- Notify your customers if the breach is likely to adversely affect their personal data or privacy
- Record a breach log
Moreover, the GDPR will come into force on 25 May 2018, imposing stringent data security requirements on all organisations that process or handle data of EU residents. Any organisation that fails to meet these requirements will be faced with fines of up to 4% of their annual global turnover (NB turnover, not profit) or €20 million – whichever is greater.
Your organisation will likely be investigated by a supervisory authority (which will almost certainly be the ICO in the UK) and you will be tasked with proving what you had done to prevent the breach.
Provide hard evidence
A sure-fire way to back up your claim that you practise good information security is showing your ISMS (information security management system) in documented form.
If you’ve kept your documentation up to date, and if it’s based on best practice, then it will act as evidence that you’ve endeavoured to keep personal data secure, reducing the impact of monetary penalties, negative press and loss of customer trust.
Organisations that implement an ISO 27001 ISMS are considered to have world-class information security. The Standard is the globally accepted benchmark for the effective management of information assets, enabling organisations to avoid costly penalties and financial losses.
Documenting your ISMS couldn’t be easier. The ISO 27001 ISMS Documentation Toolkit contains pre-written documents written by practising auditors to help you create your policies, procedures and records. You simply need to customise the documents to your organisation, align it to your own controls, and update it regularly.