The ICO exists to empower you through information.

Control measure: Staff with responsibility for processing personal information are able to recognise and escalate personal data breaches.

Risk: Without technological protection and organisational measures, there is a risk that staff may not be aware of or able to recognise a personal data breach. This may breach articles 5 (1) (f), 33 and 34 of the UK GPDR.

Ways to meet our expectations:

  • Train staff to recognise and report personal data breaches before they work with personal information.
  • Provide periodic staff refresher training to recognise and escalate personal data breaches.
  • Reinforce training with reminders (eg posters, newsletter sections, emails and intranet bulletins).
  • Incorporate anonymised examples of personal data breaches into data protection training, particularly if training is tailored to specific business areas.
  • Include in the training an adequate explanation of how each personal data breach occurred to raise awareness and mitigate against future occurrences of each type of incident.
  • Provide written, easily accessible staff guidance on recognising and handling personal data breaches.
  • Implement a culture of trust so employees feel able to report near misses.

Options to consider:

  • Ask for input and direction into the personal data breach training content from the Data Protection Officer (DPO) or Information Governance team members, as appropriate.
  • Test staff understanding at the end of the training, possibly including a minimum pass mark, to ensure training is effective. 

 

Control measure: Decision-makers are equipped to make informed decisions about personal data breaches.

Risk: If senior staff are unable to assess the severity of a personal data breach and the risk to people impacted, this may breach articles 5 (1) (f), 33 and 34 of the UK GPDR.

Ways to meet our expectations:

  • Provide specialised personal data breach training to decision makers so they are able to effectively carry out this aspect of their role.
  • Provide supplementary guidance to personal data breach decision makers (eg security incident flowcharts).
  • Regularly refresh specialised training. 

Options to consider:

  • Ask for input and direction on the content of specialised personal data breach training from the DPO or Information Governance team.
  • Ask for feedback from decision makers on the effectiveness of the training and act on any recommendations.