The General Data Protection Regulations (GDPR) has a lot to say about what you should do if you think you have been subject of a personal data breach. You might think that all you have to worry about is the addresses in your email marketing lists, but it goes much further than that.
The first requirement is that you have to assess the breach to see if you need to report it to the ICO. A breach could be as simple as an employee accidentally deleting personal data, and the ICO generally will not want to know about it, but if the breach might cause distress or loss to an individual then you must tell them.
Whilst 72 hours is given as the deadline, the requirement is ‘without undue delay’. Whilst you should read the GDPR for the full details required by the ICO, most are rather obvious: the number and types of individuals and the number and type of personal data records, the details of the contact point, normally the data protection officer.
Your assessment of the likely fall-out from the breach will need to be included together with what steps you have already taken to mitigate the damage. You need to include what further actions are planned.
We’ve mentioned recently that any company involved in email marketing should have contingency plans in place. These will give you actions to perform immediately and include others to consider.
Lack of information is no reason not to inform the ICO and the GDPR has provisions which allow you to report information in phases. This brings us onto a new, and vital, aspect of the GDPR; recordings.
There is a requirement for you to record all your actions in relation to a personal data breach. If you decide that the breach is of such a nature that there is no requirement to inform the ICO you must record your reasons and the actions you took to ascertain its seriousness. If you don’t have all the information to tell the ICO, then record why. If you are doing things correctly, this is simple self-defence.