Would your organisation know what to do in the event of a data breach?
Jersey’s Data Protection Law (DPJL) includes a duty on all organisations to report certain types of personal data breach to the Jersey Office of the Information Commissioner (JOIC).
Today, the JOIC’s Compliance and Enforcement Manager Adrian Hayes answers our questions.
What is a data breach?
‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Unauthorised or unlawful processing may include disclosure of personal data to (or access by) recipients who are not authorised to receive (or access) the data, or any other form of processing which violates the DPJL’s security principle.
How likely is an organisation to suffer a data breach?
Every organisation is likely to suffer a data breach of some description. Some big, some small and some that may attract media attention.
There will never be a convenient time for an organisation to suffer a breach. It is likely to happen and when it does, organisations need to be ready to devote appropriate time and resources to dealing with it.
When reporting a breach, what do you need to consider?
The DPJL states: ‘In the case of a personal data breach, the controller must, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach in writing to the Authority in the manner required by the Authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.’
As part of the response to a breach, organisations should ask themselves the following questions:
- Does the breach involve personal information?
- Does the breach involve special category (sensitive) information e.g. about someone’s health, sexuality.
- Is there likely to be a risk to the rights and freedoms of individuals?
- Could the breach lead to physical or material or non-material damage for the affected individuals?
What are some of the key things to think about when preparing for a breach?
Organisations should make sure they map out a response plan in advance. Then store that plan offline in case of a catastrophic breach.
They should identify key players and define roles and responsibilities. They should also train staff, ‘stress test’ in advance and give appropriate thought to Data Protection by Design, considering data protection risks, policies and procedures from the outset. Specific data protection guidance for organisations is available here.
Where do you start when considering what to do in the event of a breach?
In order to comply with their obligations under the DPJL principle of Accountability, as well as the requirement to record relevant information, organisations should be able to demonstrate to the JOIC when and how they became aware of a personal data breach.
The JOIC recommends organisations, as part of their internal breach procedures, have a system in place for recording how and when they become aware of a personal data breach and how they assessed the potential risk posed by the breach. They also recommend that staff know what to do if something untoward happens, and who to report it to and who will have overall responsibility for dealing with matters.
What should be considered after a breach has occurred?
Organisations should review what has been learned from the breach, consider what they have done or should do to improve practices, decide what they have done or will do to prevent similar breaches from occurring again.
Before an organisation can fully assess the risk arising from a breach caused by some form of attack, the root cause of the issue should be identified in order to establish whether any vulnerabilities that gave rise to the incident are still present and exploitable.