This article outlines some of the key actions your authority should be taking to prevent breaches and to lessen the impact of those that do occur.
We frequently advise on breaches that were caused by human error and that could have been prevented with better training. All staff should receive data protection training that is practical and relevant to their roles. For example, staff should know how to recognise 'phishing' emails and how to share documents securely.
Training should also help foster a culture where staff come forward with suggestions. Their contributions are often valuable because they may spot weaknesses 'on the ground' which are not apparent to senior staff. Most importantly staff must not feel afraid to mention suspected data breaches which will always require prompt action and possibly need to be reported to the ICO within 72 hours.
Training should be backed up with written guidance and policies for all staff. Lengthy and abstract guidance is off-putting and ineffective. Instead provide staff with guidance on what they actually need to know to do their jobs. For instance, on issues such as working away from the office, passwords and the secure use of email.
It's a requirement under the GDPR to be able to demonstrate your data protection compliance and policies for staff are an essential part of this.
Cyber-attacks are becoming more sophisticated and prevalent. Your authority should have appropriate technical and organisational measures in place to safeguard personal data from these attacks. As a starting point review the National Cyber Security Centre's guidance for the public sector.
As a general rule, the more sensitive the personal data, the stronger the measures required to keep it secure. You should regularly test and evaluate the security measures in place to ensure that they are effective.
It can be difficult to know what to prioritise when a breach first happens. Being able to turn to a written procedure is helpful in ensuring that you've taken all of the necessary steps.
A data breach procedure should be aimed at the key members of staff who will deal with a breach. This will primarily be your DPO but don't forget those with wider expertise around IT, reputation management, legal issues and HR.
If a breach is reported to the ICO they will take into account the measures that you have taken to address the breach when considering enforcement action. This means that not only will robust action help to mitigate the consequences of a breach but it may also lessen the severity of any enforcement action.