1. Data breach team
Damage limitation is a priority immediately following a security breach. You will need a team of people to manage the data breach.
What should you do?
☐ Assemble a data breach team, including your data protection officer (DPO) and/or data protection manager (DPM) (if you have one), head of legal/compliance, head of IT and head of HR (if employee data is involved).
☐ Appoint someone to lead the team (preferably not your head of IT).
2. Preliminary notifications
Your first instinct may be to tell affected individuals and regulators about the breach, but you need more information before you can decide whether this is necessary or desirable.
The time limit for notifying the Information Commissioner’s Office (ICO) under the UK General Data Protection Regulation (UK GDPR) is 72 hours from becoming aware of the breach and the UK GDPR Recitals suggest you should notify the ICO first before communicating with data subjects. Your focus during the first 24 hours should be on containment and recovery.
What should you
Access this content for free with a 7 day trial of LexisNexis and benefit from:
- Instant clarification on points of law
- Smart search
- Workflow tools
- 42 practice areas
Get your quote today and take step closer to being able to benefit from:
- Instant clarification on points of law
- Smart search
- Workflow tools
- 36 practice areas
Get a LexisNexis quote
* denotes a required field
To view the latest version of this document and thousands of others like it,
sign-in with LexisNexis or register for a free trial.
Powered by Lexis+®
Jurisdiction(s):
United Kingdom
CONTACT US
