Data Breach Policies

In addition to the legislative requirements of having data breach policies and procedures in place, practically they can have serious impact on your business. They can result in unauthorised disclosure of personal information that your business is entrusted to maintain, interruption to your day to day operations, significant costs in recovery and reporting, as well as affect your business’ reputation. Accordingly, ensuring that you have policies and procedures in place as well as full training of your employees is vital to raise awareness of the seriousness and to protect personal information in your business.

What is the purpose of this policy?

The purpose of a data breach policy is to contemplate all data breaches and to minimise the risks associated with any breaches. It also outlines the actions that should be taken in the event of a breach to ensure data is secure and to prevent further breaches.

What does this policy cover?

A data breach policy should encompass all personal and sensitive data that your business holds. It should apply to everyone who are storing or processing data on the behalf of your business – including employees, temporary or casual staff, consultants, suppliers, contractors, freelance workers or other data processors.

About data breaches

A data breach is defined as any incident, event or action that has the potential to compromise the availability of data, the integrity of data, confidentiality or business’ data systems. This includes incidents or events that happen by accident or deliberately. Both confirmed and suspected incidents may qualify as a data breach.

For the purposes of a data breach policy, an incident may include (but is not limited to) any of the following:

Unauthorised use or accessing of data
Unauthorised modification of data
Loss of personal or sensitive data
Theft of personal or sensitive data
Loss or theft of equipment on which data has been stored
Individual error
Any attempts to gain access to data or our company IT systems (both successful or failed)
Defacement of web property
Physical incidents, like a fire, which could compromise IT systems

Reporting a data breach

All employees who access, manage or use data in any way are responsible for reporting a data breach or any other type of security incident. This report should be made immediately to the employee’s line manager, using the data breach reporting form.

This report must include full details of the incident or breach, when it occurred, who the data relates to and how. It must also include details about the individual reporting the incident.

Data breach containment and data recovery

All necessary steps must be immediately carried out to minimise the effects of any data security breach or data security incident. This process of containment should begin with an initial assessment designed to establish the severity of the incident. The initial assessment should also include analysing whether there is any way to recover the lost data, and mitigate further risks associated with the incident.

Your initial assessment should include the following information:

The data involved
Whether the data involved is sensitive in nature
The individuals affected
The security measures that are in place to protect the data
What has happened to the data
Whether the data involved could be used in an illegal or otherwise inappropriate way
Any perceived wider consequences associated with the breach or incident

Data breach notification

Each incident must be assessed on a case-by-case basis. In every instance, the following considerations will be made:

Any contractual notification requirements
Any legal notification requirements
How many people are affected
What consequences may occur as a result of the data breach or data security incident
Whether notification of a breach or incident would help the individual to mitigate risks associated with the incident
Whether notification could assist the business in meeting its legal obligations under GDPR and Data Protection Act 2018

Next steps

We strongly recommend that you check your data breach policies are up to date and have been implemented across your business.

Contact Rankin Business Lawyers for practical, on-point commercial legal guidance.

Stacey Brennan
Lawyer

Data Breach Policies

Privacy Risks in your Business

e-Commerce Legislation Worldwide

ASIC Cyber Security Proceedings Initiated

My mate says he can give me a privacy policy to use in my business, will that do?

Do you need to enter Australia but are unsure how to with the current travel restrictions?

Data Breach Policies

Share This Story, Choose Your Platform!

Related Posts

Privacy Risks in your Business

e-Commerce Legislation Worldwide

ASIC Cyber Security Proceedings Initiated

My mate says he can give me a privacy policy to use in my business, will that do?

Do you need to enter Australia but are unsure how to with the current travel restrictions?