Please see below for suggested actions and further reading based on your answers to the nine questions. You can download this report as a Word document using the button on the top right corner of the page. If you have a problem downloading the report into a Word document please let us know.
That's great. If you know what a personal data breach is, if it happens you can do something about it.
Having robust measures in place to help you and your staff avoid personal data breaches is crucial.
Make sure you're considering things like:
Remember to regularly review and amend the measures you have in place, and remind staff to use them.
It's great you already have a person who’s responsible for dealing with personal data breaches.
It's important that you support them in their role, for example by regularly reviewing and, where necessary, improving the support and resources available to them. You also need to provide them with regular refresher training.
If they move on, you’ll need to choose someone to replace them, train the new person and tell everyone in your business who they are and how to contact them.
It's good you're providing training for your staff. To keep their knowledge up-to-date, you should provide regular refresher training, including:
By implementing a response plan, you've taken an important step to protect any personal data affected by a breach. But you need to treat it as a 'living document'. Regularly review the steps and actions you can take to limit the consequences, particularly if you've made changes to your business or if you've actually experienced and dealt with a breach. When something changes, update your response plan accordingly.
You’re in a good position if your responsible person knows how to assess the severity of a breach and the level of risk it’s likely to pose to those affected.
We have a self-assessment tool on our website you can use if you need help with a personal data breach.
In addition, you can contact us to get advice about any breach, including to help you decide whether or not to report it.
By already having this in place, you have a good basis to be open and transparent and show people you care about their personal data.
Review new information about existing personal data breaches. Reassess the impact to affected people as this may change over time.
You’re in a good position if your responsible person knows what to record on your breach log.
Remember that if new information comes to light about existing personal data breaches, they should update the log and reassess the impact to affected people. They may need to tell those affected and they may also need to report the breach to the ICO, explaining the reason for the delay.
Relevant staff should meet regularly with the responsible person to review the information in the breach log along with any ICO recommendations to ensure lessons are learned.
While your responsible person knows when to tell the ICO about personal data breaches, they need to reassess this decision if new, relevant information comes to light.
Our self-assessment tool is there to help assess personal data breaches.
In addition, they can contact us to get advice about any breach, including whether or not they should report it.