You need to be able to show how you will spot, cope with and solve any problems caused by data breaches from your organisation or of your data.
In some instances, you will need to report when you have a data breach to the ICO and this will sometimes include information as to who has been affected.
Data Breach Definition: any time your security is broken and data is released/stolen/corrupted/changed/lost or shared to those not supposed to see it is regarded as a data breach. This can relate to virtual or hard copy data.
Reporting of such a data breach to the ICO is a requirement where you deem it possible that there would be a risk to the rights and freedoms of individuals caused by that breach. Where this is unlikely, reporting is not required – but records should be kept of all instances – together with any decisions made on whether or not to report each occasion with justifications. If individuals are deemed likely to be affected by the data breach, then they too need to be alerted as soon as possible.
In the event that you need to report a data breach to the ICO, this must be done within 72 hours of your first becoming aware of the breach. It is understood that this may not be sufficient time to determine all that has happened, and any consequent damage done – but there are phased reports that can be issued in such situations. From this, you can see that all staff need to understand what constitutes a personal data breach, namely that this is wider than just a loss of personal data, as well as knowing what to do about it if they discover a data breach has occurred.
The easiest way to ensure this is to have a full data breach protocol/procedure that all staff are informed about and trained on how to follow. Awareness of any data breach should then be quickly raised allowing key personnel to take appropriate action regarding reporting to the ICO and alerting affected individuals. Given the tight timescale for reacting to the discovery of a data breach, it is key that the data breach procedures are clear, well known to all staff, practiced and is able to quickly alert relevant decision makers.