What Qualifies as a Data Breach in the Workplace?

What is a data breach?

In simple terms, a data breach is related to both accidental and deliberate causes that lead to data being accessed unlawfully, changed or destroyed without permission, lost, stored unsafely or transmitted to people it shouldn’t be.

Data breach examples in the workplace

There are many forms of data breaches that can occur within an organisation. Examples of data breaches include:

• Having access to the HR Folder when you shouldn’t have
• Losing your laptop, phone or USB drive
• Sending an attachment meant for one customer, to another customer
• Sending an email, meant for a colleague, to a customer
• Sharing personal data with another company without a contract in place
• Putting your username and password into a phishing website
• Leaving paperwork on the train
• Hacking/ malicious access by a 3rd party
• Ransomware
• Theft of anything which holds data
• Viruses
• Being in an email distribution group when you shouldn’t be

It’s a myth that every breach that happens needs to be reported to the ICO. Understanding the risk is what will determine the seriousness of the breach and whether it needs to be recorded internally or reported to the ICO.

How can you determine the risk of a data breach?

Taking the example of sending an email meant for a colleague, to a customer, it’s important to go through the below process to help identify the seriousness of the data breach.

1. Has a breach has been identified?
   • Yes, as an email has been sent to someone other than it was intended for – in this case, a customer instead of a colleague.
2. Is the risk likely to result in a risk to the individual’s rights and freedoms?
   • If it’s just a spreadsheet with a list of names, then no then this would not need to be reported to the ICO. Instead, you would record the incident on your companies breach register- learn from your mistakes and improve from the incident.
3. If the spreadsheet of names also had medical information on it, this would be seen as serious and therefore within 72 hours of the breach being identified it should be reported to the ICO.
4. Additionally, if you think this breach is a high risk to the individual’s rights and freedoms then you must also let the affected individuals know.

If you are unsure, it’s always best to notify the ICO anyway and they will help support you. We are all human and can make simple mistakes, however ensuring that you are following the correct processes in line with data protection and security policies, will ensure that you protect yourself and your business against serious consequences.

Have you ever had a data breach?

We held a webinar on this topic and asked the question “Have you ever had a breach?” to our webinar attendees and the results were as follows:

41% said yes

45% said no

14% said not sure

We posed the exact same question after our “Data Protection and Security – Where are we now?” webinar and the results concluded:

71% said yes

10% said no

19% said not sure

We are grateful that our webinar taught our attendees about data breaches as they realised that they have had more data breaches than they initially thought but at the same time, it is a concern as there are large fines and negative business repercussions that follow if you are found to suffer a serious data breach and don’t realise.

Watch our webinar “Data Protection and Security – Where are we now?” to find out more about data breaches and how you can secure and protect your organisation.

Get in touch if you have any questions or concerns about data breaches or if your organisation’s needs help securing your data.