Control measure: There are procedures in place to make sure that personal data incidents and breaches are detected, managed and appropriately recorded.
Risk: Without appropriate technical and organisational measures in place to protect the personal information processed (including preventing and detecting personal data breaches), there is a heightened risk of a personal data breach occurring. This may breach articles 5(1)(f) and 32 of the UK GDPR.
Ways to meet our expectations:
- Have appropriate training in place so that staff are able to recognise a security incident and a personal data breach.
- Appoint a dedicated person or team to manage security incidents and personal data breaches.
- Ensure staff know how to escalate a security incident promptly to the appropriate person or team to determine whether a breach has occurred.
- Ensure procedures and systems facilitate the reporting of security incidents and breaches.
- Implement a response plan for promptly addressing any security incidents and personal data breaches that occur.
- Centrally log, record and document both actual breaches and near misses (even if they do not need to be reported to the ICO or people).
- Document in the log the facts relating to the near miss or breach including:
- its causes;
- what happened;
- the personal information affected;
- the effects of the breach; and
- any remedial action taken and rationale.
Options to consider:
- Check your breach detection measures are appropriate to the amount, type and sensitivity of personal information processed.
- Provide specialised personal data breach training to decision makers so they are able to effectively carry out this aspect of their role.
- Provide supplementary guidance to personal data breach decision makers (eg security incident flowcharts).
- Check all staff know about and can locate the breach notification policy and supporting guidance.
Have you considered the effectiveness of your accountability measures?
- Could staff explain what constitutes a personal data breach?
- Do they know how to report incidents?
- Would a sample of how you manage incidents demonstrate adherence to the policy and procedures?
Control measure: There are procedures to assess all security incidents and then report relevant breaches to the ICO within the statutory time frame.
Risk: Without a proactive understanding of the inherent risk in the information that is processed, or a rationale behind any assessments made in the event of a personal data breach, there may be a breach of article 33. This may also result in separate infringements of articles 5(f) and 32 of the UK GDPR.
Ways to meet our expectations:
- Have a procedure to assess the likelihood and severity of the risk to people as a result of a personal data breach.
- Have a procedure to notify the ICO of a breach within 72 hours of becoming aware of it (even when all the information is not yet available) and notify the ICO on time.
- Ensure the procedure includes details of what information must be given to the ICO about the breach.
- If you consider it unnecessary to report a breach, document the reasons why your organisation considers the breach unlikely to result in a risk to the rights and freedoms of people.
Options to consider:
- Keep breach response plans under review and test regularly, especially following personal data breaches and near misses.
- Ask for feedback from staff on their understanding of how to assess risks within all areas of their work, both to ensure consistency in approach and to identify any training needs.
- Ensure the processes for reporting to the ICO include procedures with any joint controllers or processers.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the policies and procedures and are they easy to find?
- Do staff understand how to conduct the risk assessment?
- Do they know when a breach needs to be reported to the ICO?
Control measure: There are procedures to notify affected people where the breach is likely to result in a high risk to their rights and freedoms.
Risk: If the personal data breach is not communicated to them as soon as possible, people will be unable to take necessary precautions. This may breach article 34, 83(2), 5(1)(f) and 32 of the UK GDPR.
Ways to meet our expectations:
- Have a procedure setting out how you will tell affected people about a breach when it is likely to result in a high risk to their rights and freedoms.
- Tell people about personal data breaches in clear, plain language without undue delay
- Ensure the information you provide to people includes the DPO’s details, a description of the likely consequences of the breach and the measures taken (including mitigating actions and any possible adverse effects).
- Provide people with advice to protect themselves from any effects of the breach.
Options to consider:
- Consider the audience who are receiving notification of the personal data breach in your communication plans and templates (eg by making alternative accessible formats available).
Have you considered the effectiveness of your accountability measures?
- Would people say that they were told about personal data breaches in a helpful and timely way?
- Did they get the information they needed?
- Were they satisfied with the steps you took to mitigate the impact?
Control measure: Personal data breaches are reviewed and monitored.
Risk: If there is no investigation and corrective action in response to a personal data breach, there is a risk that they will remain untreated and reoccur. Without completing trend analysis or understanding the root cause behind a personal data breach, and then learning from previous ones, there is a risk that future personal data breaches will be more severe or impactful. This may breach article 5(1)(f) and 5(2) of the UK GDPR.
Ways to meet our expectations:
- Analyse all personal data breach reports to prevent a recurrence.
- Monitor the type, volume and cost of incidents.
- Undertake trend analysis on breach reports over time to understand themes or issues.
- Ensure groups with oversight for data protection and information governance review the outputs.
Options to consider:
- Feed the findings from investigations and lessons learned into your training content and awareness raising activities.
Have you considered the effectiveness of your accountability measures?
- Could we see an example of how you handled an incident that required lessons to be learned?
- Were the steps you took to prevent a recurrence of the incident effective?
Control measure: There are external data protection and information governance audits or other compliance checking procedures.
Risk: A reliance on internal audits and assurances can result in blind spots, causing inaccurate risk assessment and potential breaches. This may breach article 5(1) of the UK GDPR.
Ways to meet our expectations:
- Complete externally-provided self-assessment tools to provide assurances on data protection and information security compliance.
- Ensure your organisation is subject to or employs the services of an external auditor to provide independent assurances (or certification) on data protection and information security compliance.
- Adhere to an appropriate code of conduct or practice for your sector (if one exists).
- Produce audit reports to document the findings.
- Have a central action plan in place to take forward the outputs from data protection and information governance audits.
Options to consider:
- Research publications on risk and threat analysis for your sector to identify weaknesses in the control environment.
- Work towards accredited, sector-specific certification.
Have you considered the effectiveness of your accountability measures?
- Do staff adhere to the external standards as claimed?
- Are they aware of a range of suitable external tools?
- Are senior managers aware?
Control measure: There is an internal audit programme, covering data protection and related information governance (for example security and records management) in sufficient detail.
Risk: Without an internal audit programme, there is limited assurance that risk management is sufficient or effective. Oversight and governance bodies may not have the correct information to make the necessary decisions. Without ongoing compliance monitoring, controls may be incorrectly implemented, potentially leading to breaches. This may breach article 5(1) of the UK GDPR.
Ways to meet our expectations:
- Monitor your own data protection compliance and regularly test the effectiveness of the measures you have in place.
- Regularly test staff adherence to data protection and information governance policies and procedures.
- Routinely conduct informal ad-hoc monitoring and spot checks.
- Ensure your monitoring of policy compliance is unbiased by keeping it separate from those who implement the policies.
- Have a central audit plan/schedule in place to show the planning of data protection and information governance internal audits.
- Produce audit reports to document the findings.
- Have a central action plan in place to take forward the outputs from data protection and information governance audits.
Options to consider:
- Provide the findings and outputs from internal audits of data protection to oversight and governance boards.
- Ensure the internal audit work plan is agile (ie so there is scope to plan themed data protection audits at different points throughout the year).
- Use the findings and outcomes of the proactive checks and audits to determine where further training may be required.
- Involve data protection champions in delivering audits, to support a privacy culture.
Have you considered the effectiveness of your accountability measures?
- Could staff explain a sample of actions from the action plan including how they were identified, progressed and closed?
- Do senior management have oversight of the Action Plan?
- Are there appropriate links to a risk management process and register?
Control measure: There are business targets relating to data protection compliance and information governance, and access to the relevant information to assess against them.
Risk: Not gathering key performance indicators (KPI) risks a missed opportunity for valuable oversight and to understand the effectiveness of control measures. Risks may be inaccurate assessed and managed, leading to breaches. This may result in a breach of article 5(2) of the UK GDPR.
Ways to meet our expectations:
- Have KPIs regarding subject access request (SAR) performance (the volume of requests and the percentage completed within statutory timescales).
- Have KPIs regarding the completion of data protection and information governance training, including a report showing the percentage of staff who complete training.
- Have KPIs regarding information security, including the number of security breaches, incidents and near misses.
- Have KPIs regarding records management, including the use of metrics such as file retrieval statistics, adherence to disposal schedules and the performance of the system in place to index and track paper files containing personal information.
Options to consider:
- Use KPI trends to determine whether resourcing is appropriately matched and where further training may be required.
Have you considered the effectiveness of your accountability measures?
- Could staff explain any instances of non-compliance to statutory timescales highlighted in the reports and the actions taken to address the issue?
Control measure: Relevant management information and the outcomes of monitoring and review activity are communicated to relevant internal stakeholders, including senior management as appropriate. This information informs discussions and actions.
Risk: If management or relevant internal stakeholders are not given information on performance in data protection KPI they may be unaware of potential issues or non-compliance and unable to introduce the appropriate technical or organisational measures to improve performance.
Ways to meet our expectations:
- Have a dashboard giving a high-level summary of all key data protection and information governance KPIs.
- Regularly discuss KPIs and the outcomes of monitoring and reviews at the group(s) providing oversight of data protection and information governance.
- Discuss data protection and information governance KPIs and the outcomes of monitoring and reviews at groups at operational level, for example in team meetings.
Options to consider:
- Document how information will flow between management and operational teams to make KPI monitoring more efficient.
- Have action plans for improvement where KPI are below target.
Have you considered the effectiveness of your accountability measures?
- Could you give examples of information flowing between operational levels and senior management?
- Are staff given appropriate information?
- Do they understand it and are the actions taken clear?
Useful links
ICO guidance:
- Personal data breaches
- ICO Webinar: Personal data breaches: Assessing the risk and Personal data breach reporting
External guidance:
- National Cyber Security Centre: 10 Steps to Cyber Security - Incident management