A data breach is a breach of data security that leads to accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data. It includes sending emails to the wrong person, carelessness with passwords and leaving personal data on desks. If the breach is likely to put at risk an individual’s personal data then within 72 hours of the breach, it should be disclosed to the Information Commissioner’s Office using the following link. If the breach has put the individual’s data at high risk they should be told about the breach.
Currently, the person at Human Made who deals with data breaches is Daisy. If you suspect that there has been a data breach, you should email Daisy at firstname.lastname@example.org (emails will also be auto-forwarded to Tom and Siobhan).
The following process should be followed when there has been a data breach:
- Notify Daisy by emailing email@example.com
- Liaise with all relevant people to minimise the impact
- Enter the details in the 🔒 data breach log.
- Make recommendations to Tom as to whether the ICO should be notified of the breach, along with any individuals who need to be notified.
- If appropriate, notify the ICO.
- Complete the breach log with any additional data.
- Discuss the breach and ensure it is part of any future risk reviews.
- Carry out a breach post-mortem and post to Updates.
Common causes of breaches should be reviewed regularly and the company kept informed.