Responding to a personal data breach
The Information Commissioner’s Office has a simple guide that explains what you need to do in the 72 hours following a data breach.
The seven step approach advocated is set out below:
Step one: Don’t panic
It’s understandable if you’re concerned about what happens next. But we’re here to help you understand what happened and to prevent it happening again.
Step two: Start the timer
By law, you've got to report a personal data breach to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours.
Step three: Find out what’s happened
Pull the facts together as quickly as possible.
Step four: Try to contain the breach
Your priority is to establish what has happened to the personal data affected. If you can recover the data, do so immediately. Also, you should do whatever you can to protect those who will be most impacted.
Step five: Assess the risk
You should now assess what you feel the risk of harm is to those affected, whether that’s your customers, members or service users.
Step six: If necessary, act to protect those affected
If possible, you should give specific and clear advice to people on the steps they can take to protect themselves, and what you’re willing to do to help them. If you don’t think there’s a high risk to the people involved, you don’t have to let them know about the incident.
Step seven: Submit your report (if needed)
If the breach is reportable, you can report it online.
The ICO have a help line you could call, 0303 123 1113, or view online advice at https://ico.org.uk/for-organisations/advice-for-small-organisations/72-hours-how-to-respond-to-a-personal-data-breach/.