I was recently asked a question: “If a business suffers a data breach, do the owners of the data (companies and people whose personal data has been compromised) need to be informed, if so how should they be contacted and how quickly.”
The answer is, so far as I know, not indicated directly in the guidance. (If anyone can point me to something, please let me know!) The following is my personal inclination based on my reading of the guidance that does exist:
- To have a client, means you will have some of their contact details. Thus these should be the methods used to contact them. (eg if you only have their telephone details, then this is the way you have to contact them. You might, at the same time, get another method to contact them too!)
- If the data holder has more than one method of contacting the client, then the fastest should be used in combination with reliability. So if email was available, then this is preferable to phone as it provides a permanent record. A written letter is going to be slower than a call, so a call would be preferable in that scenario, but perhaps the letter could follow up in writing. But I would do this only if I did not have the email address.
- When you got the data from them, you should have told them about the privacy requirements at that time. I would therefore recommend that you adopt the same immediacy approach when dealing with a change to those privacy requirements. Ie. You had to tell them immediately when they sent data to you, so you should tell them “immediately” when the conditions around your controls over that data have changed – ie following a breach. I have put quotes round “immediately” as there is leeway to ensure that you are certain about what you have lost. Ie you are allowed to check that the data truly is lost/damaged or whatever.
- The other factor to consider is that if the data is more sensitive, then you should endeavour to contact them more quickly. This is clearly the case for Special Category Data (see https://www.securebusinessdata.co.uk/gdpr-special-category/ for the Special Category Data definition)
- You should consider what is said in the guidance, and you may be required to contact the ICO in the event of a breach. If you are going to contact the ICO, you would probably want to have contacted/warned the individuals affected by the time you contact the authority so that you can show you have begun to take action. Details of contacting the ICO can be found on: https://www.securebusinessdata.co.uk/gdpr-breach-notification/
- Finally, you can get a good starting point if you consider how you would like to be treated if another company that has lost your data.
- You would want to be informed as soon as possible once it was sure (or at least highly likely) that the data was breached.
- You would want to be contacted by the fastest method to get your attention, but one that leaves you a record of what has happened.
- And you would want to be sure that you were contacted fastest if your most sensitive data was compromised.
- You would almost certainly want more than knowledge that your data had been breached – you would want to know possible ramifications, what the organisation that lost your data was doing to get it back, what actions you should take with regard to alerting your insurance or other protective measures you can put in place and so on. Note: this may not be a legal requirement on behalf of the organisation that last the data, but in terms of repairing the damage to their reputation, this would go a long way towards that goal. Also, not all this detail needs to be submitted at once. After the initial alert, follow ups with assessment of impact are a good way to re-establish a connection with the client and reassure that all that can be done is being done.
If you have any further questions, or recommendations relating to this question, please respond to the blog or contact us via https://www.securebusinessdata.co.uk/contact/ or by telephone on 0345 600 6975.