Three steps to handling data breaches under GDPR
If you so much as gather or store customer, supplier, or employee data, including sensitive information like payment details, you have a cyber risk exposure, and a breach of personal data can be especially harmful, says insurance broker Bluefin.
In 2017, 46 % of all UK organisations experienced at least one cyber-security breach or attack, according to government data. Personal breaches can be especially harmful as they can lead to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data. If the breach is likely to significantly impact individuals’ rights and freedoms, you must inform them without delay.
Under the GDPR, organisations are required to report certain types of personal data breaches to the relevant supervisory authority within 72 hours. Failure to do so could lead to a fine of up to 4 % of its global annual turnover.
Along with significant fines, personal data breaches could also have a profound impact on your organisation’s reputation ‒ even if you promptly inform all those affected. Your reputation is intrinsically linked to your brand and if you experience a data breach, individuals may then view you as being untrustworthy and take their business elsewhere.
What’s more, failing to meet data breach requirements may hold your directors and officers liable for their inability to implement the necessary safeguards.
If you so much as gather or store customer, supplier, or employee data, including sensitive information like payment details, you have a cyber risk exposure.
Protect your business from hefty GDPR penalties and reputational damage by following these three steps:
- Contact the relevant supervisory authority of a breach within 72 hours
- Directly contact individuals affected by a breach if it is likely to result in a high risk to their rights and freedoms. (Note: The Information Commissioner’s Office (ICO) defines a high risk as “the threshold for notifying individuals is greater than notifying the relevant supervisory authority”).
- Complete a breach notification containing the following information:
- The categories and number of people affected by the breach.
- The categories and number of personal data records affected by the breach.
- The name and contact details of the data protection officer or an additional contact where more information can be obtained.
- A detailed description of the breach’s potential consequences.
- A detailed description of what measures your organisation has taken or will take to address the data breach.
- A detailed description of the measures your organisation has taken or will take to mitigate any possible adverse effects to either itself or the individuals affected.
Don’t assume that cyber cover is included under your existing business insurance policy. This often isn’t the case, so you may need to take out a separate policy to provide the cover you need.
Consider Cyber Insurance
There are now many cyber insurance solutions available, which includes more than just helping to resolve the ‘hacking’ itself, but provides emergency response in the event of an incident.
The extensive cover available typically includes:
- Cyber, data security, and multi-media cover
- This covers any allegations of loss from the firm’s customers, including all defence costs
- Data beach notification costs
- Cover for the costs of notifying any affected clients of the data breach
- Regulatory defence and penalty costs cover
- Ensures costs of defending any ICO investigation and any fine will be paid if legally insurable
- Public relations costs cover
- Costs of PR consultants to minimise damage to your brand and operations of the recruiter
If you’d like to discuss your business insurance arrangements, including your exposure to cyber risks, call Bluefin Professions’ ICAEW team on 0345 894 4684.