My Breach Story…

I never write personal blogs, they seem self-important and indulgent but I want to make a point with this story.  I could embellish it with powerful clichés but the reason for telling you this is so you can learn from someone else’s mistakes.

This is real, this happened and I don’t want it to happen to you.

I’ve been qualified as a GDPR Practitioner for 2 years now.  My previous lives consisted of commercial management, senior procurement roles, a quality Manager and an auditor.  If we want the whole story there are terrible summer jobs and bar work too.

How this started…

I first met my client in February 2019.  She was a very stressed and disorganised business owner. There was sensitive data everywhere, paper files doing back several decades, a prehistoric database which she had no idea how to manage, very little security in place and no data protection procedures.  I completed a full data audit, submitted recommendations and duly followed up several times to check on progress but heard nothing back.  I filed their documentation and got on with life.  There are only so many times that you can check in without being annoying.

She paid for my advice but didn’t follow through on any required actions.

All change…

A year goes by and suddenly things have changed.  Their off-site data storage back up supplier had been hacked, her sensitive data has been compromised.  The data storage supplier or her data processor had rightly reported the breach to the ICO and had informed my client of some of the details.

She contacted me straight away, but not aware of the seriousness of the situation.  She thought that she had time, she was too busy for this with real work and this could wait.  This was not the case.

She reported the breach too as she was the data controller and the ICO wanted to do a full investigation.  We were assigned the principal cyber security investigator who wanted incredibly detailed information.  Now she was starting to understand all the advice and strategies I was previously suggesting.  She was a serial hoarder of information, well over 90% of her information was no longer needed – yet was compromised.

Action stations…

She was in full blown panic mode now, we had two weeks to provide the information.

They needed: the exact data that had been compromised and how the breach had occurred.  The protective measures, breach procedures, retention policies, remedial actions taken, contact with data subjects and additional reports.  Also, a data protection impact assessment detailing the risks and measures taken to minimise them.

It took me a week to prepare the information and documentation, finally, over the Easter weekend the information was submitted.  We were due to hear back within 2 weeks with their decision to fully investigate and issue a fine.

The waiting game…

My client was thinking that she would need to close down her business as she wouldn’t survive the fine or the damage to her reputation.  She was stressed to the point of ill health.  I was very worried about her and was checking in on her every few days.

Success!

Nearly 5 weeks later the ICO contacted my client saying that they wouldn’t take this further as we had ensured we had completed all of our data obligations and because the supporting documentation was good.

Elated doesn’t cover it.

I was pleased for two reasons:

  1. My client wasn’t fined, she will save time, money and will have an untainted reputation.
  2. My processes work!

So the moral of the story is…

To listen to the people that are trying to help you.   I have help with the areas that I’m not experienced with or am just no good at.  They know what they are doing, they have reasons why they ask certain things and I trust them.

My clients know how detailed I am. They often roll their eyes at the information I need and what I’m asking them to do.  Yes, its detailed, yes, I want to look in every file.  I will be checking back and I will want to see progress made, I will be asking questions about security and data flows.  I will be reviewing your processes, asking why do you things and sending you huge spreadsheets.

The reason why I do this is to save you from this experience that my client has just had.

If you want to avoid a story like this happening to you then please get in touch:

Contact