How to respond to a data breach

Third Sector Promotion Markel

Data breaches can happen for a variety of reasons, from accidents to malicious attacks. If the worst happens, it pays to be prepared

Data breaches can happen to anyone - so be prepared
Data breaches can happen to anyone - so be prepared

Charities, like many 21st century businesses, have huge repositories of data – and leaks, either accidental or as a result of hacks, can be a legal and public relations nightmare.

If the worst happens and your charity’s data is compromised, there are steps you can take to minimise the fallout. Hans Allnutt, partner at DAC Beachcroft and head of their cyber and breach risk and breach response team, explains what you need to do to prepare for a data leak.

Practice your incident response

Planning your response to data breaches isn’t just good practice – it’s mandatory. "Part of regulatory guidance is that you have a plan in place," says Allnutt. "It’s not just good business practice but it’s actually regulatory practice to do so."

The ICO’s guidelines suggest using the process ‘Contain, Recover, Assess, Notify, Evaluate’.

"In the case of a misdirected email, containing the breach could be contacting the recipient, making sure that they’ve deleted it, they haven’t forwarded it on and they’re not going to use it," explains Allnutt. "In the context of a malicious attack on a server, containing the breach can be quite convoluted – you’ve found some malware or remote access malware on a server, and you have to get forensics analysis to work out where the holes are, and effectively shore up the electronics system."

Assessing your legal obligations in the event of a breach can be an involved process, he notes: "If you find a vulnerability on a computer, do you turn it off? Do you stop giving those services?  What’s your PR plan?"

Consider who you need to notify in the event of a breach. "Sometimes that’s driven by regulatory obligations, notifying the regulatory or data subjects – or it might be commercial partners," says Allnutt.

Once you’ve worked through your immediate response to the breach, you need to evaluate – "Work out what you did and whether you need to do anything else," says Allnutt. "A proper plan needs to be triaged, so that you’ve got the right people and it’s escalated at the right time, and that those people have a decision making function as well."

Ensure all levels of the organisation are prepared to deal with a data breach

Data protection isn’t just the preserve of the IT department – everyone within the organisation has a part to play. Similarly, in the event of a data breach, everyone working in the organisation needs to know their responsibilities, who to report to and how to escalate their response. "If the building services manager discovers over the weekend there’s been a theft, he needs to know who to tell and what to tell them in relation to lost data," says Allnutt.

A data protection culture needs to be established from the top down, he adds: "Cyber risk sits at the most senior level, with the CEO. You delegate technical cyber protection to IT, but implementing training requires the HR function; to fulfil your legal contractual obligations you’ll need your legal function. A proper breach response plan will pull in all those things."

Be open, honest and accurate

"If there’s one thing worse than having a breach it’s having a breach and not telling anyone about it, and then everyone finding out 18 months later," says Allnutt. Silence is not an option – so be ready to issue a holding statement as soon as possible. "There is an instant demand for facts – even if you don’t know the full picture, you have to say something. In this response plan you can have stock phrases ready to go – lists of public statements."

Be prepared to deal not just with the public, but with third parties who may be involved in a breach. "You may be holding confidential commercially sensitive information about fundraisers on behalf of a partner. If you lose that information, you’re going to have to tell the other party that they lost the data – how are you sending that message?"

Consider your public relations response

Although the basic framework for a charity’s response to a data breach is similar to the commercial sector’s, the reputational considerations are somewhat different "How you present yourself publicly around admissions of liability, errors and compensation will be different considerations in the charity space," says Allnutt. "If you say ‘We’ve lost your information, we’ll offer you compensation’, that shows you are an altruistic organisation – but for people that have donated to that charity, you’re handing their money out to people who have been affected."

Through practicing your response to a data breach, you can work out the specific nuances that will affect the message you’re trying to get across. Showing vision, clarity and confidence – and responding quickly – are vital. The longer you delay, the more chance a reporter will break the story. Getting out in front of it can save you massive reputational damage.

Markel is the sector's premier insurance company working with charities, community groups, trustees, social enterprises and care providers. To find out more please visit

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in

Expert Articles: Risk Management

Advice on risk from Markel, a specialist insurance company working with charities, community groups, trustees, social enterprises and care providers.

7 steps to managing your safeguarding risk

Promotion from Markel

Safeguarding is an increasingly critical issue in the third sector with hefty fines for those that don't take it seriously. Here, Markel's care consultancy director, Jerry Oliver, offers seven top tips to putting a safeguarding plan in place

Winter is coming: Are you ready?

Promotion from Markel

With the onset of winter, the chances of severe disruptions to your business operations increase. But, if you have a contingency plan in place you can act swiftly to mitigate and minimise the risks

How to claim Gift Aid and who is eligible

Promotion from Markel

From small one-off cash contributions to a sizeable sum from a wealthy donor, the ability to claim back an additional 25% on donations through Gift Aid offers charities the chance to make philanthropy go further

How to prepare for the unexpected: the keys to if-and-when planning

Promotion from Markel

Having a robust business continuity plan is of critical importance - here's how to create one...

What is social value and why does it matter?

Promotion from Markel

The latest regulations mean that before launching the bidding process, commissioners must try to ensure that the services should secure greater benefits for the stakeholders and local area

What to do in the case of a breach: cyber fraud #2

Promotion from Markel

In the second part of our series, we look at how to respond to a breach.

How bad can cyber crime really get: cyber fraud #1

Promotion from Markel

In the first of a series, we investigate the risks to charities from having flawed cyber security - and why we need to up our game...

Managing cyber risk in the third sector

Promotion from Markel

Cyber risks should be high on the risk management agenda of third sector organisations as incidents hit the headlines and burden small organisations with increasing frequency.

Third Sector Logo

Get our bulletins. Read more articles. Join a growing community of Third Sector professionals

Register now