When the GDPRs took data protection centre stage in 2018, I was terrified. Why? Because as an outsourced DPO for various companies including an energy company, I knew that there was potential for numerous data protection breaches that would need proper consideration and possible notification within a 72-hour window.
That was a narrow window to collect and understand the facts, galvanise the client company and senior officials to consider and reach a view as to whether a breach was “notifiable” to the ICO, and if so to collect the information required to draft the notification. The decision not to notify could be as hard as the decision to notify. I needed to have the confidence to designate a breach not notifiable and back it up with a very clear audit trail as to why in case we were ever called to account for our decision.
Being an outsourced DPO was just one of the services we provided and so we could not afford for a breach coming left field into our business to swallow up our business resources, any more than it should consume our client business either.
And the breaches did come and yes, they were very much left field. It’s the nature of the beast. Many came on a Friday afternoon of all times! (The ICO did note in the early days that most notifications took place on a Friday – I have no idea why that was the case and I’m still not sure).
So, what did I do, so I could function and not have the bottom drop out my world every time a breach came in? I did 3 very important things:
- I found a way to quantify breaches – to apply a scoring system to analyse those breaches
- I trained my team – even non-lawyers in that system (it was such a good system; it was ridiculously easy to train).
- I put policy, process, and training in place for the client company, so the appropriate decision-makers were available at short notice and had the information to make the decisions required of them.
Of course, much of this is a requirement, but being able to keep your head when others around are worrying and being able to efficiently handle a breach were my personal drivers. The result now is that we can quantify any breach in under 30 minutes and given the urgent nature of this work, it allows for calmer handling of the situation.
If you would like to discuss this in more detail or have any questions, please contact Tracey@law-point.co.uk or call 01202 729444.
