Data Privacy Week: Dealing with Data Breaches and SARs

With Data Privacy Week spanning from 24^th  – 28^th January, Briefed want to join the international effort to create awareness about data privacy and the pitfalls affecting the legal industry.

Throughout 2023, we advised organisations across the UK on dozens of data breaches. The vast majority of these breaches came from simple human errors that can happen to anyone, but it is vital to know that when small mistakes do occur, what action needs to be taken.

What to do if you have had a data breach:

Your first step is to contain the breach and take steps to make sure it can’t happen again. You can do this by assessing the severity of the breach, checking:

• What data is involved – is there any special category data affected? (health, race, sexual orientation).
• The risk to individuals and other third parties.
• What harm may be caused to the organisation (employees, shareholders, reputation etc).
• Were any security measures in place, such as passwords or encryption keys? You may be able to note this as a ‘near miss’ when sufficient protections prevent data from being accessed.

The ICO states that it is crucial when dealing with a breach, that the commercial considerations of the organisation never outweigh the obligations to protect individuals. The principle of protecting individuals’ data is of the utmost importance.

In light of this, if you feel that any of the following are a possibility as a result of a data breach, you must notify the individual concerned so they can take any necessary mitigating action:

• Physical or mental harm
• Financial or material loss
• Loss of any legal rights
• Discrimination
• Risk of identity theft or fraud
• Damaged reputation
• Affected privacy or compromised private information

Top reasons for requesting a SAR:

Similarly in recent years, we have seen a notable increase in the number of Subject Access Requests (SARs) received by chambers and other organisations. There could be a host of reasons why this surge has occurred, however it can be attributed to the ever-growing emphasis on data protection in public consciousness.

Three specific groups have emerged as the main contributors to the bulk of recent subject access requests:

Dissatisfied Clients – Often, an overly litigious client who is frustrated with the result of their case will make a SAR in an attempt to find a fault.

Rejected Candidate/Pupillage Applicants – SARs are now increasingly being used as a means of obtaining interview notes, feedback and internal correspondence relating to an individual’s application.

Former Employees or Barristers – More ex-employees are seeking copies of all documentation that references them, thus creating a considerable admin task. It can take weeks to sift through countless emails and documents in attempts to fulfil their request.

What to do if you receive a Subject Access Request (SAR):

Clarify the request:

Is the request actually a SAR – they have no specified format and may not even use the words ‘Subject Access Request.’ Also identify the individual making the request. You can do this by requesting photo ID, ensuring you are sure about their identity before sharing personal data.

Act immediately:

You have one calendar month to respond to the SAR in full.

• Circulate the request among all relevant parties to identify and obtain all data held on the individual – This is not limited to paper records.
• Consult your retention policy – how long have you held data on this individual?
• Ensure all avenues are checked – archives, deleted emails, redundant servers.

Consider third parties:

You may need to check what information other parties you regularly share information with hold on the data subject. Also consider whether the requested documentation contains personal data of third parties – have they consented to this being shared?

Seek professional advice:

• Before sharing any information, there are circumstances where you can and should refuse to share information.
• If you need to, apply for a time extension on fulfilling the request.

Data Protection Officer Service – Get in Touch:

As a result of this notable increase in SARs, Briefed are now offering a Data Protection Officer (DPO) support service. With this service, we will be able to aid you in navigating any queries you may have regarding GDPR, SARs or data breaches.

We offer specialist assistance and advice, including:

• Reviewing current GDPR policies you have in place.
• Creating work flowcharts to provide an overview of key data protection processes.
• Creating necessary policies and documents that are not currently in place.

If you would like further information on how we can support you with these issues, feel free to contact us by email at hello@getbriefed.com or contact us on 028 9621 634.