Data breach—panic sheet

The following Risk & Compliance precedent provides comprehensive and up to date legal information covering:

  • Data breach—panic sheet

Data breach—panic sheet

1. Data breach team

Damage limitation is a priority immediately following a security breach. You will need a team of people to manage the data breach.

What should you do?

☐ Assemble a data breach team, including your Data Protection Officer (DPO) (if you have one), head of legal/compliance, head of IT and head of HR (if employee data is involved).

☐ Appoint someone to lead the team (preferably not your head of IT).

2. Preliminary notifications

Your first instinct may be to tell affected individuals and regulators about the breach, but you need more information before you can decide whether this is necessary or desirable—the time limit for notifying the Information Commissioner’s Office (ICO) under the UK General Data Protection Regulation (UK GDPR) is 72 hours from becoming aware of the breach and the UK GDPR Recitals suggest you should notify the ICO first before communicating with data subjects. Your focus during the first 24 hours should be on containment and recovery.

What should you do?

☐ Unless there are compelling reasons, do not at this stage notify:

  1. affected data subject(s)

  2. the ICO

3. Preliminary assessment

You should take steps to contain the breach and recover lost data as soon as possible, but before you can do this you will need to do a preliminary assessment of what data has been lost, why and how.

What should you do?

☐ Conduct a preliminary

Popular documents