In my previous blog, My 3 steps to personal data breach handling peace of mind, I explained that the fear of breaches coming left field with no methodology in place was enough to get me to take some proactive measures.
One of those measures was to find a way to quantify breaches of any type. Applying numbers to the analysis rather than qualitative analysis has delivered many benefits to us and our clients, not least, time saving.
Picture the scene, it’s 3pm on a Friday afternoon. You’re looking forward to your first tipple of the weekend and that email drops into your inbox: “Hi Tracey, I hope you are well (“I was”) We think there’s been a breach. I’ve just inadvertently cut and pasted 600 customer account details into a cloud application for a quote”.
At this point, in all fairness, I usually congratulate myself because it is a lot easier and quicker than it could have been but for our processes and setting up the client with them. It starts with information gathering. The good thing is that at that stage, even though we are nowhere near the stage of a formal analysis, based on what we do know, our data protection minds are beginning to whir, based on numbers we’ve applied to other scenarios. We start to formulate an informal view. Hmmm, bank account details: not good. Names and addresses: not good. Not sure who had access: not good; not sure how to delete: not good.
So, I am left with the bad news to deliver to decision-makers of the data controller: please prepare to spend some part of the weekend talking to me instead of your chosen ones, my instinct is that this is going to be notifiable. We are going to need to try and get answers, discuss, and decide and I will need sign-off.
The good news: this is not going to be half as painful as it might otherwise be. We all know our roles (this is what the setup and training were for) and we all click into – let’s do this both properly and quickly.
I know who to speak to (we have email groups set up for these communications). The information gathering, and breach mitigation flows are in full swing. Now for the quantification. Firstly, it’s what you don’t have to do when you have a mountain of information. There is no re-inventing the wheel, picking through the facts. A pre-prepared questionnaire for anyone in my team of lawyers or not, they’ve all been trained. It literally is a case of filling in the numbers, with reasons for those numbers based on the context of the specific situation, and hey presto!
1. A logicized conclusion
2. A discussion point between DPO and data controller to interrogate the numbers, slightly amended following a Saturday morning conference call (still better than a Parkrun though!)
3. An audit trail and record of the decision – NOTIFIABLE – grrr (in all fairness completing the actual notification takes very little time because all of the groundwork that has been done in order to quantify the breach)
And the best bit is if the ICO queries any breaches or handling or asks us to demonstrate our thinking, then like Hermione Grainger, I am going to willing and proudly produce my work, instantly. No fuss.
If you would like to discuss this in more detail or have any questions on data breaches and how to handle them, please contact Tracey@law-point.co.uk or call 01202 729444.
