What should small businesses do if there is a data breach?

What should small businesses do if there is a data breach?

If you’re a small business or sole trader, the ICO has great guidance on what to do if you’ve had a data breach. The first thing you need to do is stay calm. Data breaches can happen because of accidents or negligence and many don’t end up with formal actions. So, it’s best to take a breath and just follow the proper procedures. There’s even a self-assessment reporting tool to help you understand if you need to report the breach to the ICO at all. In many instances, you may not need to take any further actions or you’ll be able to minimise the impact or eliminate risk altogether with a few simple steps.

Types of breaches

The ICO has amazing guidance on different types of breaches like:

1. Not redacting personal data
2. Emailing something in error
3. Working on an unsecured laptop
4. Sending products to the wrong person
5. Fallout from a cyberattack

You can see from those examples that it’s very important to start your documentation from the moment you realise there’s a breach. This is because, as you investigate, you’ll find out more information about who is impacted and the level of risk. And that information might change your reporting requirements under the law.

Start the clock

Legally, you’ve got 72 hours to report a breach (if necessary), so it’s always a good idea to start the clock when you realise something is wrong. Make a log with the facts:

1. When did you notice?
2. What happened?
3. What sort of data is involved?
4. Who is impacted?
5. What’s the timeline?
6. What have you done so far?
7. Have you recovered any data?

You could do several things to limit your risk and possible damages like changing all passwords, wiping lost devices or calling the ICO to ask for advice.

Define the risk

When trying to understand what’s happening and who is impacted, you’ll need to gauge the level of risk: was personal info involved like name, address, photos, comments or anything more serious like payment details? Now think about who now has access to it. Did it stay inside your organisation or go to an outside party? How easy would it be to get that data back or ask them to delete it etc? Are lots of people affected or just a handful? Lastly, will this cause harm? Could they lose money? Are they vulnerable? Is it going to impact their safety? If there’s unlikely to be much negative effect, then it’s a low-risk breach. If people will be harmed, then it’s a higher risk.

Act, if required

The ICO explains, “If possible, you should give specific and clear advice to people on the steps they can take to protect themselves, and what you’re willing to do to help them. If you don’t think there’s a high risk to the people involved, you don’t have to let them know about the incident.” Balance your duty of care with the need to avoid necessarily worrying your suppliers, customers or clients. If you need to report the breach legally, you’ll want to share the log you’ve made and your risk assessment with follow-on actions within 72 hours of discovery. 

Need help securing your database and keeping everything running smoothly? We’d love to help you understand the legal requirements and put a crisis response framework in place. Talk to us today about your organisation’s needs.