The UK GDPR introduces a duty on all organisations to report certain personal data breaches to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
In the context of a website or digital service managed by Studio 24, if Studio 24 (the processor) is made aware of a data breach we will make the client (the data controller) aware as soon as possible.
We will risk assess the data breach and where necessary we will report this to ICO within 72 hours, or we will request the client (data controller) does this.
We keep a record of contacts our Support team can contact in the case of any data breach or critical issue on your website.
A personal data breach covers any unauthorised or accidental access, unauthorised disclosure, destruction or alteration of personal data for a living person.
For example, it may be a security attack to gain access to website files, accidental deletion of user data, sending personal data to someone who should not have access to that data, or a lost laptop where data could be retrieved.
As soon as Studio 24 is aware of a data breach, we will take action immediately.
We will assess:
- What type of data breach this is?
- What personal data is at risk?
- Who has unauthorised access?
- Does it create a high risk to the rights and freedoms of individuals?
See how to respond to a data breach.
- Confidentiality breach - unauthorised or accidental disclosure of, or access to, personal data
- Integrity breach - unauthorised or accidental alteration of personal data
- Availability breach - unauthorised or accidental loss of access to, or destruction of, personal data
How identifiable or sensitive is the personal data that is at risk? Is this just names and email addresses, or more comprehensive data such as addresses. Or more sensitive data such as health data or data about children?
It is not always possible to identify exactly what data has been accessed with a data breach. Therefore, if a data breach is detected we'll assume the maximum amount of data that could be accessed has been accessed and take the necessary action.
For example, if an attack gains access to the server and all website files then there is a high risk the database has been compromised and may have been downloaded. If an attack only has access to one user account, then data will be restricted to what that user has access to.
Who potentially has unauthorised access? Is it other professional members of staff at your organisation? Has the data accidentally been made public? Or has a hacker gained access to personal data?
We risk assess the data breach based on what impact it may have on the individual. Does the data breach result in a risk to people’s rights and freedoms?
The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals
Section IV of the Article 29 Working Party guidelines on personal data breach notification.
When assessing risk, it can help to put yourself into the shoes of those who have been impacted. Would you be worried about this incident or is it a minor inconvenience?
If there is a likely high risk of adverse effects occurring, then we need to communicate the breach with the affected individuals as soon as possible. It is also required to report this data breach to ICO.
Low risk:
- A user accidentally deletes a user record that is later restored from a backup.
- A hacker exploits a security vulnerability to gain access to the server. They gain access to email addresses and names for admin users of the website. Low risk, though data will need to be carefully restored and passwords reset.
High risk:
- A hacker exploits a security vulnerability to gain access to the server. They gain access to personal data of end users of a website including names and addresses that could be used in identity fraud.
- Personal data including children names and addresses is accidentally made public.
Studio 24 will always inform our client of a data breach. We will advise when it is necessary for end-users to be informed, this is normally the responsibility of the client.
Our normal practise is to compile an incident report for any security issues that affect a client website.
Information to include when informing users:
- the name and contact details of any data protection officer you have, or other contact point where more information can be obtained
- a description of the likely consequences of the personal data breach
- a description of the measures taken or proposed to deal with the personal data breach and, where appropriate, a description of the measures taken to mitigate any possible adverse effects
Clear information should be shared on advice for individuals to reduce risk, for example resetting passwords.
As noted above, where there is a likely high risk of adverse effects occurring to users due to the consequences of the data breach, this should be reported to ICO within 72 hours.