I have a suspected GDPR Data Breach - What should I do?

What is a GDPR Breach?

A GDPR breach occurs when personal data is accessed, disclosed, lost, altered, or destroyed in an unauthorized or unlawful manner. This can happen due to system errors, human mistakes, cyberattacks, or inadequate security measures. Under GDPR, organizations have a legal duty to protect personal data and report breaches that pose risks to data subjects’ rights and freedoms.

GDPR Breach Response & Data Subject Rights Protection Guidance

1. Immediate Actions Upon Discovery of a Suspected GDPR Breach

• Assess the situation: Identify the nature of the breach, what data was exposed, and who is affected.
• Contain the breach: Immediately stop any further exposure of data by removing incorrect links, email addresses, or access permissions.
• Document the incident: Record all relevant details including:
  • Date and time of discovery
  • Nature of the breach
  • Individuals affected
  • Steps taken to mitigate impact
• Notify The IT Team: Escalate the incident to IT Support for further investigation.
• Verify and correct affected records: Ensure all incorrect personal data is removed or corrected to prevent further unauthorized disclosures.

2. Communication & Notification

• Internal Notification: Inform senior management and the Director of IT immediately.
• Notify Affected Individuals: Contact impacted data subjects as soon as possible with details of the breach, actions taken, and guidance on any risks they should be aware of.
• Regulatory Reporting: If the breach meets the threshold for notification under GDPR, we may need to report it to the Information Commissioner’s Office (ICO) within 72 hours of discovery. This will require an Exec Team review in consultation with the Director of IT. Please keep your SLT member notified throughout as they will need to manage the incident as a priority.

3. Remediation & Preventative Measures

• Root Cause Analysis: Investigate how the breach occurred and implement measures to prevent recurrence.
• System Audit: Where appropriate, review system logs, access controls, and linked profiles to ensure proper data handling practices.
• Update Procedures: Where appropriate, modify data entry and linking processes to avoid erroneous profile associations. If user entry, training must be provided to all users who could reasonably process the information in question.
• Staff Training: Reinforce GDPR compliance training for all relevant personnel.

4. Protecting Data Subject Rights

Ensuring the protection of data subjects' rights is a fundamental responsibility that underpins our commitment to data privacy and security. As custodians of personal data, we must uphold the principles of transparency, accountability, and fairness in all our data processing activities. By respecting and enforcing these rights, we strengthen trust with our customers, employees, and partners while maintaining compliance with GDPR regulations.

• Right to be Informed: Ensure clear and transparent communication about how personal data is used and protected.
• Right of Access: Provide data subjects with copies of their personal data upon request.
• Right to Rectification: Correct inaccurate data promptly upon notification.
• Right to Erasure (‘Right to be Forgotten’): Delete personal data where required by GDPR, unless retention is legally necessary.
• Right to Restrict Processing: Temporarily limit data processing where requested and legally applicable.
• Right to Data Portability: Provide data subjects with their personal data in a structured, commonly used format.
• Right to Object: Cease processing of personal data where objections are raised, unless legal grounds override the request.

By following these steps, we ensure swift response to data incidents, protect data subjects’ rights, and maintain trust in our data security practices.