Control measure: Staff with responsibility for processing personal information are able to recognise and escalate personal data breaches.
Risk: Without technological protection and organisational measures, there is a risk that staff may not be aware of or able to recognise a personal data breach. This may breach articles 5 (1) (f), 33 and 34 of the UK GPDR.
Ways to meet our expectations:
- Train staff to recognise and report personal data breaches before they work with personal information.
- Provide periodic staff refresher training to recognise and escalate personal data breaches.
- Reinforce training with reminders (eg posters, newsletter sections, emails and intranet bulletins).
- Incorporate anonymised examples of personal data breaches into data protection training, particularly if training is tailored to specific business areas.
- Include in the training an adequate explanation of how each personal data breach occurred to raise awareness and mitigate against future occurrences of each type of incident.
- Provide written, easily accessible staff guidance on recognising and handling personal data breaches.
- Implement a culture of trust so employees feel able to report near misses.
Options to consider:
- Ask for input and direction into the personal data breach training content from the Data Protection Officer (DPO) or Information Governance team members, as appropriate.
- Test staff understanding at the end of the training, possibly including a minimum pass mark, to ensure training is effective.
Control measure: Decision-makers are equipped to make informed decisions about personal data breaches.
Risk: If senior staff are unable to assess the severity of a personal data breach and the risk to people impacted, this may breach articles 5 (1) (f), 33 and 34 of the UK GPDR.
Ways to meet our expectations:
- Provide specialised personal data breach training to decision makers so they are able to effectively carry out this aspect of their role.
- Provide supplementary guidance to personal data breach decision makers (eg security incident flowcharts).
- Regularly refresh specialised training.
Options to consider:
- Ask for input and direction on the content of specialised personal data breach training from the DPO or Information Governance team.
- Ask for feedback from decision makers on the effectiveness of the training and act on any recommendations.