Control measure: Procedures are in place to investigate personal data breaches and support organisational learning.
Risk: If there is no investigation and corrective action in response to a personal data breach, there is a risk that they will remain untreated and reoccur. Without completing trend analysis or understanding the root cause behind a personal data breach, and then learning from previous ones, there is a risk that future personal data breaches will be more severe or impactful. This may breach article 5(1)(f) and 5(2) of the UK GDPR.
Ways to meet our expectations:
- Conduct a formal investigation or root cause analysis (RCA) after a significant personal data breach has occurred.
- Report the results of investigations or RCAs to senior or strategic management.
- Record the findings from investigations or RCAs on the risk register, where appropriate, or feed into the information risk process.
- Periodically re-evaluate risks from previous personal data breaches.
- Put a methodology in place to capture lessons learned.
- Identify common trends through analysis and reviews of personal data breaches.
- Put processes in place to feedback lessons learned to staff and policy reviewers.
- Share the collective learnings from personal data breaches to embed lessons learned. Particularly if the type of processing is common across other business areas (including across any different sites or locations).
- Feed the issues into the audit programme to provide assurance that staff are following correct or improved procedures.
- Put key performance indicators in place and report these to senior or strategic management, for example on the number:
- of personal data breaches and near misses;
- reported to the ICO; and
- resulting in notifications to people.
Options to consider:
- Feed the findings from investigations and lessons learned into your training content and awareness raising activities.
- Feed the findings from investigations or RCAs into your information governance policy framework (eg the data protection policy and breach management procedure).