This week two large public institutions announced significant data breaches. From early indications, one was caused by accidental over-disclosure relating to an FOI request, the other seems to be a lack of correct procedural controls.
Your Data Protection Officer or IG lead must understand and document the following:
- Identify and record the data information and assets you have – if you don’t know now is the time to start mapping them out, make a start on your Information Asset Register (IAR).
- Next or concurrently, construct your Record of Processing Activity (ROPA) which will help you identify who you are sharing that information asset with and under what legal basis.
Both these documents will help you identify all the data you hold and process, whether held on paper or digitally, how/where you store it, what you are doing with it and how long you are retaining it for. In the event of a data breach, these documents will go some way toward helping the investigation, both from the ICO perspective and your own, as you will need to act quickly by:
- Notifying data subjects (what has happened and how it affects them)
- Making changes to policies (and updating staff accordingly)
- Risk assessment and reporting to ICO/regulatory bodies (within 72hrs).
Don’t assume that no-one is interested in attacking your organisation.
For more information and free support over data protection and cyber risks, contact the Data Protection Team at HCPA firstname.lastname@example.org / 01707 708018 or visit us here: HCPA’s Data Security and Protection Team