This is a brief guide to help sole traders, small organisations and SMEs understand and assess risk following a personal data breach. If you’ve had a personal data breach, there are some immediate steps you need to take, such as containing the breach. We’ve created a guide on how to deal with a personal data breach that will help you.
After discovering a personal data breach, an important step we recommend is completing a risk assessment. You’ll need to think about what data is involved in the breach, the number of people who will be affected and what harm may come to them as a result of the breach.
A breach is only reportable to the ICO under data protection law if personal data is involved and if it puts people at risk. But even if the personal data breach isn’t reportable, you should still continue with your risk assessment and put processes in place to help prevent it from happening again.
Alternatively, you can contact us for advice, and we’ll talk it over with you.
Step one: Check if personal data is involved
If you think there may have been a breach, you need to check whether personal data is involved.
A personal data breach doesn’t just mean any data that goes missing or is stolen.
For example, an email about your business sent to multiple addresses without using the BCC option might be a personal data breach, if your customers’ private email addresses were visible. But if it turns out that only the business email addresses of limited companies were visible, then it may not be a personal data breach because business information is not personal data. In this situation, you wouldn’t need to continue with your risk assessment or any other steps to take following a personal data breach, because that wouldn’t be what you’re dealing with here.
People’s names and addresses are common examples of personal data, but the term covers any data that could identify someone, such as photographs, comments they’ve made or other records.
Step two: Establish what personal data has been breached
You need to start your investigation into the personal data breach. You can base your investigation on what you know already about the type and amount of data that you think has been breached.
If you don’t already have a list of the information that you process about people, including what was contained in any personal data that might have been breached, you need to create this straight away. This will help you understand how seriously the breach might affect people.
The type of personal data involved matters, because the way you assess the risk will vary widely depending on the situation. For example, if the breach involves the sensitive personal data of vulnerable people, or financial information that may lead to identity fraud, these are both likely to be high risk situations. You need to handle sensitive personal data with even more care than other types of personal data.
You should try to find out as much as you can about what information was involved in the data breach.
Step three: Consider who might have the personal data
If your personal data breach involves someone inappropriately accessing the data or it being lost or stolen, you need to think about who might have access to the data now.
If someone has been sent the data in error, accessed it without your authorisation or it has been lost or stolen, then you face different levels of risks depending on who is involved.
For example, accidentally sending an email internally to the wrong department in your business is lower risk than sending the same email to an unknown person outside your business.
Step four: Work out how many people might be affected
You need to know how many people might be affected by the breach, whether it’s single figures or the hundreds of thousands.
Depending on what personal data you use, the people affected might include your customers, clients, service users, staff or shareholders.
For example, if a set of documents has been sent to the wrong address, you might immediately know they contain some personal data. However, you’re likely to need to investigate more before you can be certain what was in the documents and how many people will be affected.
Your initial investigation into the breach will be based on the information you currently have, but your risk assessment may change as you find out more information.
Step five: Consider how seriously it will affect people
You need to think about what impact the breach might have on people’s lives, and in particular if you think it could do them any harm.
Every situation will be different, but there are a number of questions to ask yourself, such as:
- Are the people involved vulnerable adults or children?
- Is it likely the breach will put someone in an unsafe situation?
- Are people at risk of losing money, their job or their home as a result of the breach?
- Do you know how the breach will impact people’s health and wellbeing?
Thinking about the impact the breach will have on people can help you decide what to do to try and limit that impact and protect them from potential further harm.
Step six: Document everything else you know about the breach
If there’s more to investigate about the breach, you should look at this now, including why it happened and what you did when you found out about it.
Common types of personal data breaches include:
- staff members inappropriately accessing personal data;
- staff taking data with them when they leave an organisation; security breaches or hacks of computer systems; and
- personal data being sent to the wrong person by mistake.
Some common types of risk are identify theft, discrimination and reputational damage to the people whose data has been breached.
You need to find out what has happened in your situation and decide if it was the result of human error, a system error, a deliberate or malicious act or something else.
There are steps that you can take to contain the breach and mitigate its impact, such as trying to retrieve the data, asking third parties to delete information that was sent to them in error or changing passwords. You should keep a record of the steps you’ve taken and include this as part of your risk assessment.
Step seven: Assess the risk
Even if you don’t have all the information yet, you should still begin considering the impact of the breach and making a risk assessment based on what you know.
Risk in personal data breaches means the risk to the people whose data may have been breached.
A risk assessment, in personal data breach terms, is where you think about how seriously you think people might be harmed and the probability of this happening.
Your risk assessment should take into account who might be affected, how many people might be affected and the ways it might affect them. There will always be other risks for you to consider, such as the risk to your reputation, or financial loss, but your first response should be to look at the risk to individuals and think about any steps you can take to reduce that risk or help them in some other way.
Whether or not it’s a high-risk situation depends on what the personal data is and what could potentially happen with that data. If you decide it’s unlikely there will be a negative impact on those concerned, you might categorise it as low risk. However, if the potential consequences are very significant, you might consider the overall risk assessment to be high, even if it’s unlikely to happen. Follow our guide on what to do in the 72 hours after a personal data breach, which includes advice on letting people know about the breach.
In every situation, levels of risk can vary and your decisions might change as new information becomes available.
If you’re not sure what the risk is, contact us to talk through what has happened. We can help you make a decision and support you through the next steps.