The Information Commissioner's Office (ICO) has advised organisations to set up internal security breach reporting procedures, supported by comprehensive training, as part of preparations for the General Data Protection Directive (GDPR) due to come into effect in 2018.
The recommendation is made in an ICO Breach notification advisory, which has been updated to take account of the new rules. Organisations will need to start preparing now to be compliant from day one, and many organisations, particularly larger ones, are expected to appoint data protection officers.
The regulation will, among other things, require organisations to inform data protection authorities and the public about personal data breaches, which means having the appropriate reporting procedures in place and training staff accordingly.
"You should make sure that your staff understand what constitutes a data breach, and that this is more than a loss of personal data," said the ICO guidance.
"You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision making about whether you need to notify the relevant supervisory authority or the public.
"In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation and internal reporting procedures in place."
Furthermore, organisations will not have much time to notify the authorities of any breach. Article 33 of the regulation requires notification to take place "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".
A personal data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
Preparing for the new regulation, which is likely to apply to organisations based in the UK regardless of Brexit, will require the guidance of in-house counsel, if available, according to Pinsent Masons partner Marc Dautlich who heads the law firm's information law practice.
"In-house counsel will need to define what in practice in their organisation constitutes a personal data breach, in line with the GDPR definition, so that employees can be given training to recognise such breaches and report them internally; and secondly, because in legal terms that will determine when the clock starts to tick for notification," he said.
Dautlich suggested that many organisations could look to existing notification procedures for other problems, such as product recalls or health and safety concerns.
"In many cases security vulnerabilities originate in a business's supply chain. Data controllers need to be cognisant of the implications of this. In particular, since prevention is always better than cure, and as the law already requires it, vetting sub-contractors before selecting them, followed by a robust contract, which under GDPR will require new content, and finally ongoing monitoring of adherence in the supply chain to agreed security measures, are each critical steps to take," he said.
The GDPR was approved by the European Commission earlier this year after a long and tortuous gestation period.
AlphaBay users had flocked to Hansa after it was closed down - not realising it had already been taken over by Dutch police
Microsoft closes in on $100bn annual revenues with sales weighing-in at $23.3bn
Moves to take down cyber-squatted domains reveals Fancy Bear hacking network, claims Microsoft
Intel claims 'world first' in artificial intelligence that can be plugged-in almost anywhere