United Kingdom
Select regional store:

How did you score on the #breachready self-assessment survey?

Our report looks into  each step you need to take when preparing for, reporting and responding to a data breach, offering advice on how you can improve your organisation’s breach readiness.

1. Your ability to respond to an incident

Without a process in place to manage your response in the event of a breach, you’ll be unprepared when a disaster strikes. This means you run the risk of responding too slowly and exceeding the GDPR’s (General Data Protection Regulation) 72-hour reporting deadline. It also means you could suffer business disruption for extended periods of time, leading to unnecessary costs, unhappy customers and lost revenue.

Being better prepared for a breach means establishing an incident response process that will help you identify what happened, how and when.


Take a look at our incident response solutions, including training, documentation and consultancy.

Data breach reporting: situational analysis

2. Your ability to identify all the personal data you process

Most organisations process much more personal data than they realise. Mapping the data flows within your organisation will give you a full understanding of all the personal data you collect, store or otherwise process, as well as where and how you transfer it.

It’s much easier to do this using a specialised tool, as it will help you identify exactly where your personal data resides.


Take a look at how we recommend you assess your data below.

Data breach reporting: assessing the affected data

3. Your ability to identify the personal data that may be affected in a breach

It may come as a surprise, but most organisations process much more personal data than they realise. As you’re unsure of the data strands within your organisation, we recommend you start mapping your data.

Mapping the data flows will give you a full understanding of the personal data you collect, store or otherwise process, as well as where and how you transfer it.


To find out how you can improve your ability to identify all your personal data, we recommend you consider the following solutions.

Data breach reporting: assessing the affected data

4. Your risk assessment programme

Let’s reduce those risks! Identifying the risks you face will not only help you spot threats but also help you determine the impact of a breach on your data subjects and organisation.

Information security threats are continually evolving, which is why the GDPR requires a risk-based approach to data security management.


For optimal risk management, take a look at our risk assessment solutions.

Data breach reporting: describing the impact

5. Your ability to recover from a data breach

When it comes to data breaches, preparation is key. It’s worrying that you don’t know how long it will take to recover from a data breach and restore critical functions.

Conducting a BIA (business impact analysis) will help you determine the extent of the damage caused and ensure you fully understand the risks you face. A BIA helps you assess the impact of a breach on critical business functions to quickly resume activities as usual. BIAs are an essential part of overall business continuity management. If you haven’t already, you may also want to consider implementing a BCM (business continuity management) programme.


Here are some solutions we propose:

Data breach reporting: describing the impact

6. Your staff’s knowledge

Training employees on the GDPR and its requirements will help embed effective security and personal data management practices across the business and reduce the risk of attack.

Our GDPR training courses ensure key staff members understand the Regulation’s requirements and can implement the appropriate measures to ensure compliance.


Find out more about our GDPR training courses:

Data breach reporting: staff training and awareness

7. Your staff awareness and communications processes

There could be serious issues if your staff don’t know how to escalate a security incident to the appropriate person(s). With human error causing 88% of data breaches reported to the ICO (Information Commissioner’s Office) in 2017/18, ensuring regular staff awareness training is crucial.


Boost staff confidence about spotting and reporting potential threats with our staff awareness solutions:

Data breach reporting: staff training and awareness

8. Your information security practices

Not having an information security programme aligned to best practice is poor form!

Although firewalls and antivirus solutions are helpful, any security expert will tell you that technical controls are no longer enough.

Data security needs to take into account people, processes and technology. Every organisation needs a combination of technical controls, supported by a set of robust policies and procedures, driven and managed by competent staff.

To improve your data security, we recommend that you:

  • Get Cyber Essentials certification as a baseline. This is an affordable and practical framework that will help you prevent up to 80% of cyber attacks. It’s basic but gets the job done, which is why it’s been introduced and continues to be supported by the UK government;
  • Undertake regular penetration testing to determine the vulnerabilities in your systems and networks so that you can address them before cyber criminals find and exploit them; and
  • Consider implementing an ISMS (information security management system) based on the requirements laid out by ISO 27001 – the world’s leading information security standard. Adoption of ISO 27001 is growing at a dramatic rate due to the data security assurance it offers.

To further strengthen your data security practices, take a look at our recommended solutions.

Data breach reporting: preventive measures and taking action

9. Your ability to contain a data breach

With data breaches on the rise, an effective response plan is vital. Having measures in place to address any data breaches that occur will help you respond to and recover from a data breach quickly. The speed at which you identify and mitigate a breach can make a significant difference in controlling your risks, cost and exposure.


Check our data breach response tools and services for further guidance.

Data breach reporting: situational analysis

10. Your ability to report a data breach to authorities

Missing the GDPR’s 72-hour reporting deadline shouldn’t be taken lightly and could harm your organisation’s reputation. It will also affect whether or not you receive a fine from the ICO, and how heavy that fine might be.


Find out how you can strengthen your approach to reporting a data breach with these resources:

Data breach reporting: oversight

11. Your ability to report a data breach to those affected

Under the GDPR, you’re not only required to report a breach to the ICO but must also notify data subjects of data breaches that present a high risk to their rights and freedoms.

The GDPR mandates that data processors notify data controllers of personal data breaches “without undue delay”. Data controllers must inform the ICO of breaches that are likely to result in a risk to data subjects’ rights and freedoms within 72 hours of becoming aware of the breach.


Find out how you can improve your data breach reporting:

Data breach reporting: oversight

12. Your GDPR expertise

Although the GDPR doesn’t require all organisations to appoint a DPO (data protection officer), appointing someone to focus on data protection is good practice, even if you do not call them a DPO.

The function doesn’t necessarily have to be in-house: appointing an external DPO is a simple solution to meet your requirements.


Take a look at what’s on offer.

Data breach reporting: oversight

This website uses cookies. View our cookie policy