Data Breach Reporting: Speedy 8-point checklist

July 2022

What are the key questions the ICO will want answers to?

Data breaches can be a pain. They’ll usually arrive when you least expect, and your organisation will want it dealt with pronto.

With that in mind, preparation is everything: knowing in advance what questions need answering saves precious time while investigations take place, facts are gleaned and mitigating measures are considered. All as the clock continues to tick.

Remember – NOT ALL breaches need to be reported

As a quick recap, we aren’t obliged to report every breach. There’s a clear proportionality test around the potential impact of the breach on an individual. The ICO tells us:

If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report.

Our Data Breach Guide takes you through the key steps of establishing the facts and assessing whether a breach needs to be reported or not. You can download a copy here.

You’ve judged the breach reportable

Once you’ve assessed there’s likely to be a risk to affected individuals, you need submit a report to the ICO. This must be done within 72-hours of becoming ‘aware’ of the breach.

(You’re considered to be ‘aware’ at the point there’s a reasonable degree of certainty a security incident has occurred which might have led to personal data being compromised).

The ICO has a helpful online data breach reporting form, which many organisations might choose to use.

And remember, you don’t have to have all the facts to submit an initial report, you can provide updates. The online form gives options on this.

(Please note this is sector dependent: telecoms and internet providers, as well as organisations in the health and communications sectors have distinct reporting requirements).

8-point checklist – the answers you’ll need

1. What went wrong?
Can you describe what happened, how it happened and how it was discovered? When did it happen and when did you discover it?

2. What type of data is affected?
Are basic identifiers, contact details, user passwords, bank account numbers, passport details or other personal data affected? Does the incident involve any special category data such as health data, biometrics, political opinions or sexual orientation?

3. Who is affected?
Whose data is it? Employees, students, subscribers, clients or patients?

4. What’s the volume?
Do you have an exact figure, or an estimate, for how many records are involved and how many people could be affected?

5. What’s the risk?
What damage or harm has already happened? What further impact is anticipated? Is there a ‘high’ risk to those affected? (If so, you’ll also need to notify individuals as well)

6. What training have staff had?
Can you confirm the staff member(s) involved in the breach have received data protection training in the past two years? What’s the nature and frequency of the training? (Be sure to also have a brief description of the training content at hand)

7. What actions have you taken?
What have you done to limit the impact? What’s been done to prevent a reoccurrence? When do you expect mitigating measures to be in place (if they aren’t already)? What further actions will you be taking?

8. Who else have you told?
Have you told affected individuals, or are you planning to? Have you told any other organisations about the breach?

Crucial to easing the potential fallout of a breach is being ready for one. A pre-prepared and robust data breach plan or playbook will alleviate stress levels in the heat of the moment. It also shows, as an organisation, you are on-point with your response to a breach.