Control measure: There is a documented approach to managing security incidents resulting in a personal data breach that is regularly reviewed to allow the organisation to plan effectively.
Risk: Without a formal written policy and guidelines for staff, there is a risk they will not know the procedure to follow should a personal data breach occur. This may breach article 5(2) or make it difficult to demonstrate compliance under article 24 of the UK GDPR.
Ways to meet our expectations:
- Have a breach notification policy with clear guidance for staff to follow in the event of a personal data breach.
- Put procedures in place for breach management and incident response teams to follow in the event of a personal data breach, including escalation, where appropriate.
- Make policies and procedures readily available to all staff (eg intranet, starter packs).
- Regularly review policies and procedures, including recording the review dates, versions and change log.
- Review policies and procedures in light of any personal data breaches or near misses.
- Document within policies and procedures, a set of criteria to assess both the severity of the personal data breach and the likely effect on people’s rights and freedoms. Include references to guidance (eg ICO guidance) and provide particular guidance on how to assess a 'high risk' to affected people.
Options to consider:
- Check all staff know about and can locate the breach notification policy and supporting guidance.
- Include within policies and supporting guidance, the internal timelines for escalating personal data breaches.
- Ask for feedback from staff on the effectiveness of personal data breach policies and procedures (eg Do they contain all the required information? Are they clear and transparent to follow?).