Why is this important?
You need to be able to detect, investigate, risk-assess and record any breaches. You must report them as appropriate. Having effective processes in place helps you to do this. A personal data breach can have a range of adverse effects on individuals. There can be serious repercussions for organisations, their employees and customers, such as financial penalties (failure to notify a breach when required can result in a fine up to 10 million Euros or 2% of your global turnover), reputational damage, loss of business and disciplinary action.
At a glance – what we expect from you
- Detecting, managing and recording incidents and breaches
- Assessing and reporting breaches
- Notifying individuals
- Reviewing and monitoring
- External audit or compliance check
- Internal audit programme
- Performance and compliance information
- Use of management information
Detecting, managing and recording incidents and breaches
You have procedures in place to make sure that you detect, manage and appropriately record personal data incidents and breaches.
Ways to meet our expectations:
- You have appropriate training in place so that staff are able to recognise a security incident and a personal data breach.
- A dedicated person or team manages security incidents and personal data breaches.
- Staff know how to escalate a security incident promptly to the appropriate person or team to determine whether a breach has occurred.
- Procedures and systems facilitate the reporting of security incidents and breaches.
- Your organisation has a response plan for promptly addressing any security incidents and personal data breaches that occur.
- You centrally log/record/document both actual breaches and near misses (even if they do not need to be reported to the ICO or individuals).
- The log documents the facts relating to the near miss or breach including:
- its causes;
- what happened;
- the personal data affected;
- the effects of the breach; and
- any remedial action taken and rationale.
Have you considered the effectiveness of your accountability measures?
- Could staff explain what constitutes a personal data breach?
- Do they know how to report incidents?
- Would a sample of how you manage incidents demonstrate adherence to the policy and procedures?
Assessing and reporting breaches
You have procedures to assess all security incidents and then report relevant breaches to the ICO within the statutory time frame.
Ways to meet our expectations:
- You have a procedure to assess the likelihood and severity of the risk to individuals as a result of a personal data breach.
- You have a procedure to notify the ICO of a breach within 72 hours of becoming aware of it (even when all the information is not yet available) and you notify the ICO on time.
- The procedure includes details of what information must be given to the ICO about the breach.
- If you consider it unnecessary to report a breach, you document the reasons why your organisation considers the breach unlikely to result in a risk to the rights and freedoms of individuals.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the policies and procedures and are they easy to find?
- Do staff understand how to conduct the risk assessment?
- Do they know when a breach needs to be reported to the ICO?
Notifying individuals
You have procedures to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
Ways to meet our expectations:
- You have a procedure setting out how you will tell affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms.
- You tell individuals about personal data breaches in clear, plain language without undue delay
- The information you provide to individuals includes the DPO’s details, a description of the likely consequences of the breach and the measures taken (including mitigating actions and any possible adverse effects).
- You provide individuals with advice to protect themselves from any effects of the breach.
Have you considered the effectiveness of your accountability measures?
- Would individuals say that they were told about personal data breaches in a helpful and timely way?
- Did they get the information they needed?
- Were they satisfied with the steps you took to mitigate the impact?
Reviewing and monitoring
You review and monitor personal data breaches.
Ways to meet our expectations:
- You analyse all personal data breach reports to prevent a recurrence.
- Your organisation monitors the type, volume and cost of incidents.
- You undertake trend analysis on breach reports over time to understand themes or issues, and outputs are reviewed by groups with oversight for data protection and information governance.
- Groups with oversight for data protection and information governance review the outputs.
Have you considered the effectiveness of your accountability measures?
- Could we see an example of how you handled an incident that required lessons to be learned?
- Were the steps you took to prevent a recurrence of the incident effective?
External audit or compliance check
Your organisation arranges an external data protection and information governance audit or other compliance checking procedure.
Ways to meet our expectations:
- Your organisation completes externally-provided self-assessment tools to provide assurances on data protection and information security compliance.
- Your organisation is subject to or employs the services of an external auditor to provide independent assurances (or certification) on data protection and information security compliance.
- Your organisation adheres to an appropriate code of conduct or practice for your sector (if one exists).
- You produce audit reports to document the findings.
- You have a central action plan in place to take forward the outputs from data protection and information governance audits.
Have you considered the effectiveness of your accountability measures?
- Do staff adhere to the external standards as claimed?
- Are they aware of a range of suitable external tools?
- Are senior managers aware?
Internal audit programme
If your organisation has an internal audit programme, it covers data protection and related information governance (for example security and records management) in sufficient detail.
Ways to meet our expectations:
- You monitor your own data protection compliance and you regularly test the effectiveness of the measures you have in place.
- Your organisation regularly tests staff adherence to data protection and information governance policies and procedures.
- You routinely conduct informal ad-hoc monitoring and spot checks.
- You ensure your monitoring of policy compliance is unbiased by keeping it separate from those who implement the policies.
- You have a central audit plan/schedule in place to show the planning of data protection and information governance internal audits.
- You produce audit reports to document the findings.
- You have a central action plan in place to take forward the outputs from data protection and information governance audits.
Have you considered the effectiveness of your accountability measures?
- Could staff explain a sample of actions from the action plan including how they were identified, progressed and closed?
- Do senior management have oversight of the Action Plan?
- Are there appropriate links to a risk management process and register?
Performance and compliance information
Your organisation has business targets relating to data protection compliance and information governance, and you can access the relevant information to assess against them
Ways to meet our expectations:
- You have KPIs regarding subject access request (SAR) performance (the volume of requests and the percentage completed within statutory timescales).
- You have KPIs regarding the completion of data protection and information governance training, including a report showing the percentage of staff who complete training.
- You have KPIs regarding information security, including the number of security breaches, incidents and near misses.
- You have KPIs regarding records management, including the use of metrics such as file retrieval statistics, adherence to disposal schedules and the performance of the system in place to index and track paper files containing personal data.
Have you considered the effectiveness of your accountability measures?
- Could staff explain any instances of non-compliance to statutory timescales highlighted in the reports and the actions taken to address the issue?
Use of management information
All relevant management information and the outcomes of monitoring and review activity are communicated to relevant internal stakeholders, including senior management as appropriate. This information informs discussions and actions.
Ways to meet our expectations:
- You have a dashboard giving a high-level summary of all key data protection and information governance KPIs.
- The group(s) providing oversight of data protection and information governance regularly discuss KPIs and the outcomes of monitoring and reviews.
- Data protection and information governance KPIs and the outcomes of monitoring and reviews are discussed regularly by groups at operational level, for example in team meetings.
Have you considered the effectiveness of your accountability measures?
- Could you give examples of information flowing between operational levels and senior management?
- Are staff given appropriate information?
- Do they understand it and are the actions taken clear?
Further reading
ICO guidance:
- Personal data breaches
- ICO Webinar: Personal data breaches: Assessing the risk and Personal data breach reporting
External guidance:
- National Cyber Security Centre: 10 Steps to Cyber Security - Incident management