How to respond to a data breach

Data breaches can happen for a variety of reasons, from accidents to malicious attacks. If the worst happens, it pays to be prepared

Data breaches can happen to anyone - so be prepared
Data breaches can happen to anyone - so be prepared

Charities, like many 21st century businesses, have huge repositories of data – and leaks, either accidental or as a result of hacks, can be a legal and public relations nightmare.

If the worst happens and your charity’s data is compromised, there are steps you can take to minimise the fallout. Hans Allnutt, partner at DAC Beachcroft and head of their cyber and breach risk and breach response team, explains what you need to do to prepare for a data leak.

Practice your incident response

Planning your response to data breaches isn’t just good practice – it’s mandatory. "Part of regulatory guidance is that you have a plan in place," says Allnutt. "It’s not just good business practice but it’s actually regulatory practice to do so."

The ICO’s guidelines suggest using the process ‘Contain, Recover, Assess, Notify, Evaluate’.

"In the case of a misdirected email, containing the breach could be contacting the recipient, making sure that they’ve deleted it, they haven’t forwarded it on and they’re not going to use it," explains Allnutt. "In the context of a malicious attack on a server, containing the breach can be quite convoluted – you’ve found some malware or remote access malware on a server, and you have to get forensics analysis to work out where the holes are, and effectively shore up the electronics system."

Assessing your legal obligations in the event of a breach can be an involved process, he notes: "If you find a vulnerability on a computer, do you turn it off? Do you stop giving those services?  What’s your PR plan?"

Consider who you need to notify in the event of a breach. "Sometimes that’s driven by regulatory obligations, notifying the regulatory or data subjects – or it might be commercial partners," says Allnutt.

Once you’ve worked through your immediate response to the breach, you need to evaluate – "Work out what you did and whether you need to do anything else," says Allnutt. "A proper plan needs to be triaged, so that you’ve got the right people and it’s escalated at the right time, and that those people have a decision making function as well."

Ensure all levels of the organisation are prepared to deal with a data breach

Data protection isn’t just the preserve of the IT department – everyone within the organisation has a part to play. Similarly, in the event of a data breach, everyone working in the organisation needs to know their responsibilities, who to report to and how to escalate their response. "If the building services manager discovers over the weekend there’s been a theft, he needs to know who to tell and what to tell them in relation to lost data," says Allnutt.

A data protection culture needs to be established from the top down, he adds: "Cyber risk sits at the most senior level, with the CEO. You delegate technical cyber protection to IT, but implementing training requires the HR function; to fulfil your legal contractual obligations you’ll need your legal function. A proper breach response plan will pull in all those things."

Be open, honest and accurate

"If there’s one thing worse than having a breach it’s having a breach and not telling anyone about it, and then everyone finding out 18 months later," says Allnutt. Silence is not an option – so be ready to issue a holding statement as soon as possible. "There is an instant demand for facts – even if you don’t know the full picture, you have to say something. In this response plan you can have stock phrases ready to go – lists of public statements."

Be prepared to deal not just with the public, but with third parties who may be involved in a breach. "You may be holding confidential commercially sensitive information about fundraisers on behalf of a partner. If you lose that information, you’re going to have to tell the other party that they lost the data – how are you sending that message?"

Consider your public relations response

Although the basic framework for a charity’s response to a data breach is similar to the commercial sector’s, the reputational considerations are somewhat different "How you present yourself publicly around admissions of liability, errors and compensation will be different considerations in the charity space," says Allnutt. "If you say ‘We’ve lost your information, we’ll offer you compensation’, that shows you are an altruistic organisation – but for people that have donated to that charity, you’re handing their money out to people who have been affected."

Through practicing your response to a data breach, you can work out the specific nuances that will affect the message you’re trying to get across. Showing vision, clarity and confidence – and responding quickly – are vital. The longer you delay, the more chance a reporter will break the story. Getting out in front of it can save you massive reputational damage.

Markel is the sector's premier insurance company working with charities, community groups, trustees, social enterprises and care providers. To find out more please visit

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in

Before commenting please read our rules for commenting on articles.

If you see a comment you find offensive, you can flag it as inappropriate. In the top right-hand corner of an individual comment, you will see 'flag as inappropriate'. Clicking this prompts us to review the comment. For further information see our rules for commenting on articles.

comments powered by Disqus

Expert Articles: Risk Management

Advice on risk from Markel, a specialist insurance company working with charities, community groups, trustees, social enterprises and care providers.

Seven financial New Year's resolutions

Seven financial New Year's resolutions

Partner Content: Presented By Markel

The new financial year is under way - so it's time to balance your budget and get your house in order

How to respond to a data breach

How to respond to a data breach

Partner Content: Presented By Markel

Data breaches can happen for a variety of reasons, from accidents to malicious attacks. If the worst happens, it pays to be prepared

Follow us on:
  • Facebook
  • LinkedIn
  • Twitter
  • Google +

Latest Jobs

RSS Feed

Third Sector Insight

Sponsored webcasts, surveys and expert reports from Third Sector partners


Expert Hub

Insurance advice from Markel

Cyber and data security - how prepared is your charity?

With a 35 per cent rise in instances of data breaches in Q2 and Q3 last year, charities must take cyber security seriously

Third Sector Logo

Get our bulletins. Read more articles. Join a growing community of Third Sector professionals

Register now