A data breach is a breach of data security that leads to accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data. It includes sending emails to the wrong person, carelessness with passwords and leaving personal data on desks. If the breach is likely to put at risk individual’s personal data then within 72 hours of the breach it should be disclosed to the Information Commissioner’s Office using the following link. If the breach has put the individual’s data at high risk they should be told about the breach.
Currently, the person at Human Made who deals with data breaches is Daisy. You can message her directly on Slack or email firstname.lastname@example.org if you suspect that there is a data breach.
The following process should be followed when there has been a data breach:
- Notify Daisy and email email@example.com
- Liaise with all relevant people to minimise the impact
- Enter the details in the 🔒 data breach log.
- Make recommendations to Tom as to whether the ICO should be notified of the breach, along with any individuals who need to be notified.
- If appropriate, notify the ICO.
- Complete the breach log with any additional data.
- Discuss the breach and ensure it is part of any future risk reviews.
- Carry out a breach post-mortem and post to updates.
Common causes of breaches should be reviewed regularly and the company kept informed.