The Information Commissioner’s Office has a simple guide that explains what you need to do in the 72 hours following a data breach.
The seven step approach advocated is set out below:
It’s understandable if you’re concerned about what happens next. But we’re here to help you understand what happened and to prevent it happening again.
By law, you've got to report a personal data breach to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours.
Pull the facts together as quickly as possible.
Your priority is to establish what has happened to the personal data affected. If you can recover the data, do so immediately. Also, you should do whatever you can to protect those who will be most impacted.
You should now assess what you feel the risk of harm is to those affected, whether that’s your customers, members or service users.
If possible, you should give specific and clear advice to people on the steps they can take to protect themselves, and what you’re willing to do to help them. If you don’t think there’s a high risk to the people involved, you don’t have to let them know about the incident.
If the breach is reportable, you can report it online.
The ICO have a help line you could call, 0303 123 1113, or view online advice at https://ico.org.uk/for-organisations/advice-for-small-organisations/72-hours-how-to-respond-to-a-personal-data-breach/.