1. Make sure your organisation has a defined response plan to deal with a data breach: test it regularly, make sure all relevant people (internal and external to your organisation) have an up-to-date hard copy of it stored safely.
2. Once you become aware a data breach has occurred: don’t panic, establish the facts before you do anything else, and make sure all relevant staff members are made aware.
3. Assemble your response team as defined in your plan (see step 1) and allow rest of your organisation to carry on with business as usual. Make sure all staff are given regular updates on the situation especially if it’s a serious breach as they may be approached by media.
4. Once you’ve established the facts of the breach: do your best to contain it, minimise the harm that could be caused to the people whose information has been breached, and take all reasonable steps to preserve evidence for any potential forensic investigations that may become necessary.
5. Remember that you have a statutory duty to report the breach to The Data Protection Authority within 72 hours of you becoming aware of it. You only need to report breaches that meet certain criteria. Read our breach reporting guidance.
6. Think about the people whose data has been breached: be decent – consider contacting them to let them know and to say sorry. And keep in mind that they may tell the media.
7. Your response plan should include your communications plan: your approach will be dictated by the exact circumstances of your breach, but you are advised to – tell the truth, tell it fast, and tell it repeatedly. Be proactive, be the ones providing the information, don’t let the media misrepresent what’s happened – ask them to correct anything that isn’t factual. Make your voice heard, make sure all your staff know the facts and the key messages so that everyone is comfortable if they are approached by a journalist.
8. Finally, make sure you learn from the experience: as far as possible, close down the risk that led to the breach so that it doesn’t happen again, this will help you start to re-build trust between your organisation and the people whose data you look after. Update your response plan with what you learned.