Reporting personal data breaches to the ICO

Slides:



Advertisements
Similar presentations
Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.
Advertisements

© HIPAA Continuity Planners HIPAA Mandates a PLAN! (beyond hardware and software) Presented in Partnership with.
Finance and Governance Workshop Management of a Data Breach James Webster Hiscox Insurance.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Arkansas State Law Which Governs Sensitive Information…… Part 3B
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
GWASANAETHAU IECHYD A DIOGELWCH / HEALTH AND SAFETY SERVICES HOW TO COMPLETE AN ACCIDENT & INCIDENT FORM Essential elements of an Accident & Incident Form.
AIMS To raise awareness of some of the issues To offer advice on solutions To identify what might be considered as ‘best practice’ To launch new Policies.
New EU General Data Protection Regulation Conference 2016 Managing a Data Breach Prevention-Detection-Mitigation By Gerard Joyce Dun Laoghaire Feb 24 th.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Incident Report Form Training Presentation Risk Department 6 Sterne Road Tatchbury Mount Calmore SO40 2RZ
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Section 4 Policies and legislation AQA ICT A2 Level © Nelson Thornes Section 4: Policies and Legislation Legislation – practical implications.
General Data Protection Regulation (EU 2016/679)
Tony Sheppard Mobile Guardian
Unit 5 Understand how to work in partnership
Making the Connection ISO Master Class An Overview.
Information Governance Support Information Governance Services
An Overview for Staff Prepared by MSM Compliance Services Pty Ltd
Sexting case study Every case is unique, taking risk factors into consideration to aid decision making. No clear definite answers but safeguarding the.
Data Protection Session
General Data Protection Regulation (GDPR)
GDPR Awareness and Training Workshop
Understanding of Health and Safety
Essay writing Politics and Society.
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
Working together to support children and families in Cambridgeshire
Notifiable data breaches Roundtable
GDPR - Individual’s Rights
GENERAL DATA PROTECTION REGULATION (GDPR)
GDPR - New Data Protection Regulation
Incident Reporting Webinar Begins at 12.30
Sue Cawthray, CEO/ Gill Thrush, Catering Manager
G.D.P.R General Data Protection Regulations
How to Find Your Way Around…
Data Protection and GDPR – An introduction for Baptist Churches

Safeguarding Update for Pharmacists
General Data Protection Regulation
GDPR: How to ensure a culture of compliance
Preparing for the GDPR - What do we need to do if we process children’s personal data? Data Protection Practitioners’ Conference 2018 #DPPC2018.
Information for Patients Please return to reception
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
How we’ll prepare for the General Data Protection Regulation (GDPR)
Health and Safety! By jack Hughes.
Data Protection Impact Assessments How do we carry out a DPIA?
How to Find Your Way Around…
Detecting, reporting & investigating data breaches under GDPR
GDPR Quiz Today’s trainer: Click here to use Kahoot! 1
Safeguarding.
BE MORE INVOLVED IN YOUR HEALTH CARE
 GDPR Readiness Quiz Quick Insight: Quick Insight: Quick Insight:
Data Protection Impact Assessments
“Seven-minute Safeguarding Staff Meeting”
Academy Medical Centre
Understanding Data Protection
General Data Protection Regulation Q & A Session
How to find your way around …
Managing data breaches
An Overview for Staff Prepared by MSM Compliance Services Pty Ltd
“Seven-minute Staff Meeting”
Handling Information Securely
Managing Allegations Lead
Handling information 14 Standard.
Data Privacy by Design Expanding Security for bepress Users
Golden rules for handling personal data
Getting Ready For GDPR Simon Marks Director
Levels of involvement Consultation Collaboration User control
Presentation transcript:

Reporting personal data breaches to the ICO Data Protection Practitioners’ Conference 2018 #DPPC2018 1

I think we've had a personal data breach! What do we do next?! Data Protection Practitioners’ Conference 2018 #DPPC2018 2

DON'T PANIC! You know it's happened, so you’re already taking control of the situation. Data Protection Practitioners’ Conference 2018 #DPPC2018 3

There are some important things to keep in mind when you’re starting to deal with a breach… Data Protection Practitioners’ Conference 2018 #DPPC2018 4

Containing the breach and recovering from the impact Assessing the risk Deciding who you need to inform Learning from the incident Data Protection Practitioners’ Conference 2018 #DPPC2018 5

Containing the breach: Establish a lead – this will often be the data protection officer or team, or it might be an external consultant. The main thing is that there is a point of contact for staff and customers and for the ICO if necessary. Data Protection Practitioners’ Conference 2018 #DPPC2018 6

Containing the breach: They can provide instruction on steps to contain the breach, for example changing passwords, shutting computers down or halting network traffic. Data Protection Practitioners’ Conference 2018 #DPPC2018 7

Containing the breach: They can also put immediate safeguards in place and, for example, provide instruction and authorisation to restore data from backups if that’s possible. Data Protection Practitioners’ Conference 2018 #DPPC2018 8

Containing the breach: They should also be thinking about who will need to be informed, including the ICO, the data subjects, industry regulators and the police. Data Protection Practitioners’ Conference 2018 #DPPC2018 9

A breach can impact business transactions and Risk Assessment: A breach can impact business transactions and your staff's ability to work, it can also harm your reputation, but remember the risk in a personal data breach is to the data subjects. Data Protection Practitioners’ Conference 2018 #DPPC2018 10

Think about how this breach could cause these people harm. Risk Assessment: Think about how this breach could cause these people harm. How sensitive is the data? Could this breach lead to distress, financial or even physical harm? Data Protection Practitioners’ Conference 2018 #DPPC2018 11

Are there more safeguards you can put in place now? Risk Assessment: Are there any safeguards in place that could lower the risk? For example, is the data encrypted? Has it gone to a trusted body? Are there more safeguards you can put in place now? Data Protection Practitioners’ Conference 2018 #DPPC2018 12

Notification: The GPDR brings in a requirement to report a personal data breach to the ICO unless you can demonstrate it's unlikely to result in a risk to individuals rights and freedoms. Data Protection Practitioners’ Conference 2018 #DPPC2018 13

Notification: If there is a high risk to individuals’ rights and freedoms you will need to notify them. In fact, the ICO may require you to. Data Protection Practitioners’ Conference 2018 #DPPC2018 14

Notification – informing the ICO: During office hours you can call our specialist team on 0303 123 1113. This is the best way to record the breach as we can work with you to understand what's happened, get all of the information we need and help you with the next steps. Data Protection Practitioners’ Conference 2018 #DPPC2018 15

Notification – informing the ICO: You'll be able to explain the breach more clearly, we can ask any questions straight away and discuss how serious the breach is, and we can give advice on measures to take to contain the breach and whether you need to tell data subjects about what's happened. We’ll send you a copy of our record. Data Protection Practitioners’ Conference 2018 #DPPC2018 16

Notification – informing the ICO: If you need to report and you can't reach us on the phone, if you already have a written report ready, or you have relevant documentation to send you can report via our website: https://ico.org.uk/for-organisations/report-a-breach/ Data Protection Practitioners’ Conference 2018 #DPPC2018 17

Informing the ICO: what we need from you Our breach reporting team will be able to discuss the details we require, and don't forget; the GDPR allows you to report in stages. But we will need a clear summary of what happened and when, and the steps that led to the breach. Data Protection Practitioners’ Conference 2018 #DPPC2018 18

Informing the ICO: what we need from you How many people could be affected and how many records? Remember, one person might have multiple records and one record might mention multiple people. What type of data has been breached? Is there any sensitive information? Data Protection Practitioners’ Conference 2018 #DPPC2018 19

Informing the ICO: what we need from you What did you have in place that could have stopped it? Are your staff trained? What steps have you taken so far to safeguard the data subjects? Are there any more steps you will take? Data Protection Practitioners’ Conference 2018 #DPPC2018 20

Informing the ICO: what we need from you We will ask about the policies and procedures you have in place. Are they written down? We will also ask whether staff are trained in the processes your organisation uses and if you provide guidance for them that they can use as a reference. Data Protection Practitioners’ Conference 2018 #DPPC2018 21

Informing the ICO: what we need from you We’ll need to know about the security measures you have in place. This might be about password protection or network security, but might also be about locks on doors and cabinets. Data Protection Practitioners’ Conference 2018 #DPPC2018 22

Informing the ICO: what we need from you What have you learned from this breach? How can you improve your practices? What have you done or will you do to stop a similar incident from happening again? Data Protection Practitioners’ Conference 2018 #DPPC2018 23

Informing the ICO: what happens next? In most cases our reporting team will give you recommendations to help you put better measures in place to help prevent similar breaches in the future. Data Protection Practitioners’ Conference 2018 #DPPC2018 24

Informing the ICO: what happens next? Sometimes we might need a bit more information from you. We’ll contact you by phone or email. This is why reporting to us by phone is often the best way, we can try and cover everything in one call! Data Protection Practitioners’ Conference 2018 #DPPC2018 25

Informing the ICO: what happens next? If a breach is serious, complex or involves a cyber incident we may need to carry out an in-depth investigation. We will contact you for more information. Data Protection Practitioners’ Conference 2018 #DPPC2018 26

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.