The Information Commissionerโs Office has a simple guide that explains what you need to do in the 72 hours following a data breach.
The seven step approach advocated is set out below:
Step one: Donโt panic
Itโs understandable if youโre concerned about what happens next. But weโre here to help you understand what happened and to prevent it happening again.
Step two: Start the timer
By law, you’ve got to report aย personal data breachย to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours.
Step three: Find out whatโs happened
Pull the facts together as quickly as possible.
Step four: Try to contain the breach
Your priority is to establish what has happened to the personal data affected. If you can recover the data, do so immediately. Also, you should do whatever you can to protect those who will be most impacted.
Step five: Assess the risk
You should now assess what you feel the risk of harm is to those affected, whether thatโs your customers, members or service users.
Step six: If necessary, act to protect those affected
If possible, you should give specific and clear advice to people on the steps they can take to protect themselves, and what youโre willing to do to help them. If you donโt think thereโs a high risk to the people involved, you donโt have to let them know about the incident.
Step seven: Submit your report (if needed)
If the breach is reportable, you can report itย online.
The ICO have a help line you could call, 0303 123 1113, or view online advice atย https://ico.org.uk/for-organisations/advice-for-small-organisations/72-hours-how-to-respond-to-a-personal-data-breach/.
Numbers R Us is a member of Laurel Leaf Networking.