Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reporting personal data breaches to the ICO

Published byAlban Owen Modified over 5 years ago

Similar presentations

Presentation on theme: "Reporting personal data breaches to the ICO"— Presentation transcript:

1 Reporting personal data breaches to the ICO
Data Protection Practitioners’ Conference 2018 #DPPC2018 1

2 I think we've had a personal data breach! What do we do next?!
Data Protection Practitioners’ Conference 2018 #DPPC2018 2

3 DON'T PANIC! You know it's happened, so you’re already taking control of the situation. Data Protection Practitioners’ Conference 2018 #DPPC2018 3

4 There are some important things to keep in mind when you’re starting to deal with a breach…
Data Protection Practitioners’ Conference 2018 #DPPC2018 4

5 Containing the breach and recovering from the impact
Assessing the risk Deciding who you need to inform Learning from the incident Data Protection Practitioners’ Conference 2018 #DPPC2018 5

6 Containing the breach:
Establish a lead – this will often be the data protection officer or team, or it might be an external consultant. The main thing is that there is a point of contact for staff and customers and for the ICO if necessary. Data Protection Practitioners’ Conference 2018 #DPPC2018 6

7 Containing the breach:
They can provide instruction on steps to contain the breach, for example changing passwords, shutting computers down or halting network traffic. Data Protection Practitioners’ Conference 2018 #DPPC2018 7

8 Containing the breach:
They can also put immediate safeguards in place and, for example, provide instruction and authorisation to restore data from backups if that’s possible. Data Protection Practitioners’ Conference 2018 #DPPC2018 8

9 Containing the breach:
They should also be thinking about who will need to be informed, including the ICO, the data subjects, industry regulators and the police. Data Protection Practitioners’ Conference 2018 #DPPC2018 9

10 A breach can impact business transactions and
Risk Assessment: A breach can impact business transactions and your staff's ability to work, it can also harm your reputation, but remember the risk in a personal data breach is to the data subjects. Data Protection Practitioners’ Conference 2018 #DPPC2018 10

11 Think about how this breach could cause these people harm.
Risk Assessment: Think about how this breach could cause these people harm. How sensitive is the data? Could this breach lead to distress, financial or even physical harm? Data Protection Practitioners’ Conference 2018 #DPPC2018 11

12 Are there more safeguards you can put in place now?
Risk Assessment: Are there any safeguards in place that could lower the risk? For example, is the data encrypted? Has it gone to a trusted body? Are there more safeguards you can put in place now? Data Protection Practitioners’ Conference 2018 #DPPC2018 12

13 Notification: The GPDR brings in a requirement to report a personal data breach to the ICO unless you can demonstrate it's unlikely to result in a risk to individuals rights and freedoms. Data Protection Practitioners’ Conference 2018 #DPPC2018 13

14 Notification: If there is a high risk to individuals’ rights and freedoms you will need to notify them. In fact, the ICO may require you to. Data Protection Practitioners’ Conference 2018 #DPPC2018 14

15 Notification – informing the ICO:
During office hours you can call our specialist team on This is the best way to record the breach as we can work with you to understand what's happened, get all of the information we need and help you with the next steps. Data Protection Practitioners’ Conference 2018 #DPPC2018 15

16 Notification – informing the ICO:
You'll be able to explain the breach more clearly, we can ask any questions straight away and discuss how serious the breach is, and we can give advice on measures to take to contain the breach and whether you need to tell data subjects about what's happened. We’ll send you a copy of our record. Data Protection Practitioners’ Conference 2018 #DPPC2018 16

17 Notification – informing the ICO:
If you need to report and you can't reach us on the phone, if you already have a written report ready, or you have relevant documentation to send you can report via our website: Data Protection Practitioners’ Conference 2018 #DPPC2018 17

18 Informing the ICO: what we need from you
Our breach reporting team will be able to discuss the details we require, and don't forget; the GDPR allows you to report in stages. But we will need a clear summary of what happened and when, and the steps that led to the breach. Data Protection Practitioners’ Conference 2018 #DPPC2018 18

19 Informing the ICO: what we need from you
How many people could be affected and how many records? Remember, one person might have multiple records and one record might mention multiple people. What type of data has been breached? Is there any sensitive information? Data Protection Practitioners’ Conference 2018 #DPPC2018 19

20 Informing the ICO: what we need from you
What did you have in place that could have stopped it? Are your staff trained? What steps have you taken so far to safeguard the data subjects? Are there any more steps you will take? Data Protection Practitioners’ Conference 2018 #DPPC2018 20

21 Informing the ICO: what we need from you
We will ask about the policies and procedures you have in place. Are they written down? We will also ask whether staff are trained in the processes your organisation uses and if you provide guidance for them that they can use as a reference. Data Protection Practitioners’ Conference 2018 #DPPC2018 21

22 Informing the ICO: what we need from you
We’ll need to know about the security measures you have in place. This might be about password protection or network security, but might also be about locks on doors and cabinets. Data Protection Practitioners’ Conference 2018 #DPPC2018 22

23 Informing the ICO: what we need from you
What have you learned from this breach? How can you improve your practices? What have you done or will you do to stop a similar incident from happening again? Data Protection Practitioners’ Conference 2018 #DPPC2018 23

24 Informing the ICO: what happens next?
In most cases our reporting team will give you recommendations to help you put better measures in place to help prevent similar breaches in the future. Data Protection Practitioners’ Conference 2018 #DPPC2018 24

25 Informing the ICO: what happens next?
Sometimes we might need a bit more information from you. We’ll contact you by phone or . This is why reporting to us by phone is often the best way, we can try and cover everything in one call! Data Protection Practitioners’ Conference 2018 #DPPC2018 25

26 Informing the ICO: what happens next?
If a breach is serious, complex or involves a cyber incident we may need to carry out an in-depth investigation. We will contact you for more information. Data Protection Practitioners’ Conference 2018 #DPPC2018 26

Download ppt "Reporting personal data breaches to the ICO"

Similar presentations

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.
© HIPAA Continuity Planners 2012 1 HIPAA Mandates a PLAN! (beyond hardware and software) Presented in Partnership with.

© HIPAA Continuity Planners HIPAA Mandates a PLAN! (beyond hardware and software) Presented in Partnership with.
Finance and Governance Workshop Management of a Data Breach James Webster Hiscox Insurance.

Finance and Governance Workshop Management of a Data Breach James Webster Hiscox Insurance.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Arkansas State Law Which Governs Sensitive Information…… Part 3B

Arkansas State Law Which Governs Sensitive Information…… Part 3B
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, 2014 -WITH THANKS TO.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.

Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
GWASANAETHAU IECHYD A DIOGELWCH / HEALTH AND SAFETY SERVICES HOW TO COMPLETE AN ACCIDENT & INCIDENT FORM Essential elements of an Accident & Incident Form.

GWASANAETHAU IECHYD A DIOGELWCH / HEALTH AND SAFETY SERVICES HOW TO COMPLETE AN ACCIDENT & INCIDENT FORM Essential elements of an Accident & Incident Form.
AIMS To raise awareness of some of the issues To offer advice on solutions To identify what might be considered as ‘best practice’ To launch new Policies.

AIMS To raise awareness of some of the issues To offer advice on solutions To identify what might be considered as ‘best practice’ To launch new Policies.
New EU General Data Protection Regulation Conference 2016 Managing a Data Breach Prevention-Detection-Mitigation By Gerard Joyce Dun Laoghaire Feb 24 th.

New EU General Data Protection Regulation Conference 2016 Managing a Data Breach Prevention-Detection-Mitigation By Gerard Joyce Dun Laoghaire Feb 24 th.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Incident Report Form Training Presentation Risk Department 6 Sterne Road Tatchbury Mount Calmore SO40 2RZ 023 8087 4323.

Incident Report Form Training Presentation Risk Department 6 Sterne Road Tatchbury Mount Calmore SO40 2RZ
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Section 4 Policies and legislation AQA ICT A2 Level © Nelson Thornes 2009 1 Section 4: Policies and Legislation Legislation – practical implications.

Section 4 Policies and legislation AQA ICT A2 Level © Nelson Thornes Section 4: Policies and Legislation Legislation – practical implications.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
Unit 5 Understand how to work in partnership

Unit 5 Understand how to work in partnership
Making the Connection ISO Master Class An Overview.

Making the Connection ISO Master Class An Overview.
Information Governance Support Information Governance Services

Information Governance Support Information Governance Services

Similar presentations

Ads by Google