No business wants receive the news that a data breach has occurred within their company. Like with any serious incident, the first 48-72 hours are critical and the gathering of information and carrying out a complete health check within this type of data breach incident, is no different.

Naturally businesses would prefer to bury their heads in the sand, stay quiet and just hope that it’ll all blow over.  However, whilst this may have been the case during past years, under new GDPR regulation, this isn’t an option anymore.

So what are the first steps that business should take should a data breach occur?

  1. Understand the breach – Obtaining as much information as possible about the breach will enable the company to answer as many questions as possible and could help to restore the reputation of the business.
  2. Know your policies – Copies of all policies and proof of existing protection and implemented systems will need to be produced as proof of the measures you have taken to limit the situation.
  3. Who has been affected – gather who and how many people have been affected, plus what type of personal details have been accessed.
  4. Type of attack – Understanding the type of attack and if they are still present in your system is paramount to your next move. There is no point updating networks and passwords if the attackers still have access which will allow them to clone the information continue their pursuit.
  5. Report the breach – You have up to 72 hours to report a cyber security breach. You can do so here through the ICO at: https://ico.org.uk/for-organisations/report-a-breach/

Steps to prevent a breach from occurring in the first place

There are preventative measures that businesses can take to prevent the inevitable happening in the first place.

  1. Carry out a cyber security review of your business: our useful GDPR / data protection questionnaire will help you as an organisation to assess the current status of your company in terms of data protection and cyber security, highlight any vulnerabilities and create a more tailored approach to GDPR in going forward.
  2. Teamwork : appointing a dedicated team to oversea GDPR and data protection within your company will ensure that your IT systems and networks are up to date and will provide staff members with a point of contact should a GDPR query arise. If it is not possible to appoint a member of staff within the team, then it’s worth commissioning a third party company to oversee the responsibility of securing your network and training staff.
  3. Secure all systems: it is paramount that all IT systems are running correctly and are up to date. This includes running any core system patch updates, carrying out anti-virus scans, ensuring firewalls are switched on, implementing malware checking software and renewing passwords – especially if they haven’t been renewed for some time.
  4. Cover your company with GDPR insurance and a Data Protection insurance policy here at Crendon Insurance we support businesses with GDPR insurance to provide a suitable policy that will cover their business against a data breach. Please get in touch to find out more or see our GDPR website information pages.

Blogs used to write this article: