Data Breach

A data breach can happen in a number of ways. When a data breach happens it's important that you spot it and act quickly.

What is a personal data breach?

If personal data is lost, destroyed or changed accidentally or unlawfully, it is classed as a personal data breach

This could happen to various reasons such as

Unauthorized access to your systems by hacking
Gaining access by phishing
Someone in the business accidentally losing information.

A really common way of losing data is by sending emails to the wrong people.

Sending an email to number of people who already don't have each other's email addresses is a data breach. It can happen by something as simple as adding someone to CC instead of BCC allowing everyone else to access each other's email addresses.

In any case of a data breach, businesses will have to asses and determine who is at risk, and take the best course of action.

Reporting personal data breaches

In some cases, the business will have to inform the regulator of a data breach. The timeframe for this is 72 hours from the time the data breach was discovered.

The business should also inform the individuals who are affected by the data breach sooner than 72 hours if there's a potetial of harm or financial loss.

What can you do?

If you come across or discover a data breach, the best course of action is to immediately get in touch with the Data Protection Office and inform them of the situation.

Following proper policies and processes of the business can help turn a data breach into a data loss. A data loss is when a business loses personal data but it does not fall into the hands of any unauthorised parties.

Accidents do happen

How well we react and take proper action against a data breach will determine whether the regulators will issue fines to the business as well as take action against individuals involved in a data breach.

Watch this video to discover just how easy it is to accidentally create a data breach.

Spot the breach

Answer the questions below. Scroll down for answers once completed.

Example 1

Dane's been under a lot of pressure today. He's trying to finalise the paperwork on his biggest ever placement, but the candidate has taken forever to get all the right documents together.

He's finally got them and he's about to email the photocopies over to the client, but he gets distracted. He mistypes the email address and it auto-fills to someone completely different. He hits send half a second before realising his mistake. He tries to recall the message, but he's not sure if it worked.

Is that a Personal Data breach?

A. Yes

B. No

C. Only if he can't recall the message

View Answer

Yes, it is a data breach.

The candidate's personal data has been shared with an unauthorised recipient. Even if Dane manages to recall the message, he cannot be sure what happened to the data.

He needs to report it internally without delay to minimise the risk to the individual concerned.

Example 2

Michelle has just got back from a meeting with a candidate who she placed two years ago. They are interested in a role that's about to come up and Michelle has taken lots of notes about what they've been up to over the past two years.

When she gets back to the office she realises she left her notebook behind in the cafe.

Is that a Personal Data breach?

A. Yes, definitely.

B. No way

C. Potentially

View Answer

Potentially.

It depends what was in her notebook. If it contains information that could be used to identify an individual, then it would be a data breach.

Example 3

Gavin has just left his work phone the train. It's encrypted and locked with a fingerprint scanner.

Is that a Personal Data breach?

A. Yes

B. No

View Answer

No.

This is an incident, but due to the security protections in place, it has avoided a data breach. The key detail here is that the data is protected even though it has been lost via the device. If the phone was unlocked, with no password or fingerprint ID it would almost certainly be a data breach.

Most data breaches and losses are down to human error. Once you realise data has been lost, you must act quickly. Your company won't automatically be fined, but the odds of a fine increase the longer it takes to report the incident.

Got any questions?

If you have any question concerning data protection & GDPR please contact dataprotectionoffice@sheffieldhaworth.com

Back

Page updated

Google Sites

Report abuse