How do you report data breaches in your workplace?
When a data breach occurs in your workplace, it is essential that the right procedures are followed. Litigation Executive Ben Brown explains how to report data breaches in your workplace and what will happen next.
If a data breach occurs in your workplace, it is important that the correct steps are taken to ensure that the appropriate investigations can be carried out and that no further damage is caused. This is absolutely imperative where a breach of data security in the workplace has led to the personal information of customers, employees, or suppliers becoming compromised.
Correctly reporting a data breach is also an obligation for any organisation that stores or handles personal data. Failing to do so could result in substantial penalties from the relevant authorities, such as the Information Commissioner’s Office (ICO).
It is also important to report a data protection breach in your workplace if you do not think that the organisation responsible for handling your data has taken the correct steps. If you intend to pursue data breach compensation, this is often a crucial step.
In the following post, we will discuss:
- What is a data breach?
- How might a data breach happen?
- What is a data breach report?
- How do you report a data breach in the workplace?
- Who do you report workplace data breaches to?
- How long do you have to report a workplace data breach?
- What will the ICO do after a data breach is reported?
- What should you do after you've reported the breach?
What is a data breach?
A data breach refers to any incident where sensitive data or information is exposed, accessed, or shared by an unauthorised third party. This could be the result of a number of things, such as criminal activity, human error, or a combination of factors.
Organisations are required to take every possible step to prevent a data breach from occurring. As such, if a data breach occurs and any data they have on file is compromised, they are obligated to report the incident and will usually be subject to an investigation. This is even in cases where an external third party has caused the breach, as this would mean the organisation’s security policies were not stringent enough.
How might a data breach happen?
There are a wide range of possible reasons for a data breach occurring. Some of the most common reasons include:
- Unencrypted data: Any data that is not correctly encrypted could be easily intercepted by criminals when data is being transferred. End-to-end encryption can counter this, but it is not universally used.
- Human error: Any mistakes from an individual employee, such as sending an email to the wrong person, or attaching the wrong attachment, can cause a data breach.
- Ransomware or malware: Ransomware or malware is often used by cybercriminals to gain access to company systems.
- Weak access controls: Some organisations may not have the right access controls in place, such as multi-factor authentication. This puts them at higher risk of being subject to a cyber-attack.
- Phishing: This is where a cyber-criminal uses existing information they have accessed (such as contact details) to extract further sensitive data out of someone. They usually attempt this while posing as a trusted individual or group.
- Distributed denial of service: DDoS attacks create a diversion. While a company responds to this diversion, cybercriminals attempt to access sensitive data.
What is a data breach report?
A data breach report will be any correspondence such as a phone call, email or online form, submitted to the ICO, by an organisation (or individual) following a personal data breach. The ICO has a clear data breach reporting guide on their website which provides organisations with the guidance they need when reporting any personal data breach that has been discovered.
How do you report a data breach in the workplace?
Organisations will be required to follow the guidance set out by the ICO when filing a data breach report. This includes guidance on the types of breaches that need to be reported and the information that needs to be provided.
You can also report a data breach where you are an employee who has been directly affected (such as having your personal details leaked). If you do not think that the organisation you work for has submitted a data breach report, you can contact the ICO directly to make a complaint.
Who do you report workplace data breaches to?
Organisations who are reporting a breach of data in the workplace will be required to inform the ICO, and any other relevant authorities (including the police where the breach involved criminal actions).
Anyone whose data is suspected to have been compromised must also be informed about the breach.
If you are reporting on a workplace data breach as an individual, you can file a report to the ICO. While they will not be able to take any legal action on your behalf, including helping you to claim compensation, they will be able to launch an investigation and hand out fines where required.
It is also important that you understand your legal rights if you are reporting a workplace data breach as an individual. If your data has been compromised, you may be able to make a claim for compensation. This is something a specialist data breach solicitor can support you with.
How long do you have to report a workplace data breach?
There are strict deadlines in place for organisations to report workplace data breaches. A data breach of any kind must be reported to the ICO no later than 72 hours after it is first discovered. If it is not possible to provide all of the necessary information in this time frame, the UK GDPR does allow for information to be supplied in phases, as long as this is done without undue further delay.
What will the ICO do after a data breach is reported?
What action the ICO will take will depend on what type of breach has been reported and whether any regulatory action is required. The ICO may determine that no individuals have been put at risk and will therefore take no further action, other than to advise the responsible party on how to avoid the issue from reoccurring.
If a data breach has put individuals at risk, the ICO will likely take action, as well as sharing information with law and cybercrime agencies. The ICO has a range of enforcement powers that can be used, including the power to impose financial penalties.
What should you do after you've reported the breach?
If you have reported a data beach in the workplace to the ICO, your next step should be to speak to an expert data breach solicitor about your options for making a compensation claim.
Anyone whose data is compromised in a breach may have the right to make a claim. Compensation can help to account for the distress caused by the breach, as well as any direct financial losses that have been caused.
How Hayes Connor can help with data breach claims
If you have reported a data breach in the workplace, our expert solicitors can advise you on whether you will be entitled to claim compensation and how the general claims process works. We are able to act for clients on a no win, no fee basis, which removes the financial risk from making a data breach claim.
At Hayes Connor, we are one of the largest teams of data breach claims specialists in the country. We have a wealth of combined experience in supporting victims of data breaches in various sectors, including employees of organisations which are responsible for compromising their data.
Our team can advise you on whether you are likely to have grounds to make a claim, the level of compensation you may be entitled to and what steps need to be taken in the short-term.
We want to ensure that anyone who is affected by a data breach is able to access the compensation they deserve, while also making the process as straightforward and stress-free as possible.
You can find out more about our expertise and how we handle data breach claims here.
To start a claim, you can use our online claim form and we will get back to you shortly to let you know if we believe you have grounds for compensation.
If you would like to speak to a member of our team, please do not hesitate to give us a call on 0330 041 5138.