Contact
Technology

Publish date

4 December 2024

Navigating a cyber-attack: A Step-by-step GDPR breach guide for charities, not for profit organisations and education businesses

Charities, not for profit organisations and education businesses are often targeted by cybercriminals due to the sensitive data they hold and their perceived vulnerabilities. A cyber-attack can be devastating, particularly if it results in the exposure of employee and other personal data – such as passport details, bank account information, and personnel files – on public or dark web platforms. As a charity or other organisation delivering a public benefit, ensuring compliance with the General Data Protection Regulation (GDPR) and mitigating damage is of paramount importance.

This article is based on our experience in dealing with clients who have suffered cyber-attacks or other incidents that result in personal data being accessed. We have provided a clear, 9 point step-by-step guide for charities and education businesses (as data controllers) to follow in the event of such an attack, focusing on the immediate actions required, communication with the Information Commissioner’s Office (ICO), and notifying affected data subjects.

1.Identify and contain the breach

The first step is to identify the breach and take immediate action to contain it:

  • Establish the nature of the breach: Confirm that personal data has been accessed or compromised. This includes verifying reports of employee or other personal data information being uploaded to public websites or the dark web. This can be through servers that have been accessed with passwords that have been compromised through spam and phishing attacks
  • Engage external experts: Consider involving cybersecurity professionals to assist with containment and mitigation, if your IT department does not have the resources and skills to deal with this
  • Stop further access: Engage with those IT security experts to isolate affected systems, secure your network, and prevent further breaches
  • Conduct a preliminary investigation: Identify what data has been compromised, the number of individuals affected, the nature of the information accessed and the methods used by the threat attackers
  • Contact your lawyers: They can write to the public web providers that have the data on their platforms and issue a takedown notice to get the provider to take down the publicly accessible data.

2.Engage with law enforcement 

Given the possible involvement of a foreign criminal organisation, report the incident to the National Crime Agency (NCA), the National Cyber Security Centre (NCSC) and Action Fraud (the UK’s national reporting centre for cybercrime). This is critical for tracking the perpetrators and ensuring legal compliance.

3.Assess GDPR reporting obligations

Under GDPR, a data breach must be reported to the ICO if it is likely to result in a risk to the rights and freedoms of individuals in respect of their personal data falling into the wrong hands.

  • Determine the risk level: This depends on the nature of the data accessed. Sensitive personal details which includes the following: names, addresses, dates of birth, mobile phone numbers, passport numbers and bank information mean the breach is highly likely to pose significant risks to data subjects, requires notification to them. Special category of data usually means medical records
  • Act within 72 hours: Notify the ICO within 72 hours of becoming aware of the breach. If the report is delayed, provide reasons for the delay

4.Notify the ICO

Prepare a detailed notification to the ICO, including:

  • Description of the breach: Specify what data has been accessed (e.g., passport details, bank account information) and the method of the breach
  • Categories and number of individuals affected: Provide estimates of the volume and types of data compromised
  • Likely consequences: Explain the potential impact on individuals, such as identity theft, fraud, or reputational damage
  • Steps taken or planned: Outline the measures implemented to contain the breach, mitigate its effects, and prevent recurrence
  • Point of contact: Designate a lead contact for further communication with the ICO, typically the Data Protection Officer (DPO).

The ICO provides a template for breach reporting, which can simplify this process. Ensure that your report is factual, comprehensive, and transparent. You are likely to receive a response from the ICO with a questionnaire seeking further information to complete, usually within 2 weeks.

5.Notify your insurers and follow advice from them and your legal advisers

  • Check your insurance cover to make sure that you have cyber security and data breach risks covered
  • Take advice from your lawyers around responses to any ICO communications and communications to data subjects. We are here to help.

6.Communicate with affected data subjects

GDPR also requires organisations to inform affected individuals if the breach poses a high risk to their rights and freedoms. This is particularly crucial when sensitive personal data or the special category of data (see above) is involved.

  • Act promptly: Notify individuals as soon as possible, explaining the nature of the breach and its potential impact
  • Provide clear guidance: Include advice on steps they can take to protect themselves, such as:
    • Monitoring financial accounts for suspicious activity
    • Changing passwords and enabling two-factor authentication
    • Reporting potential fraud or identity theft to the relevant authorities and their banks and credit card companies.
  • Offer support: Consider providing access to credit monitoring services or identity theft protection for affected individuals, although usually they will have this in place, unless they are students below the age of 18
  • Avoid technical jargon: Ensure that your communication is clear, accessible, and empathetic, acknowledging the distress caused by the breach.

7.Implement a recovery plan

To minimise long-term damage, focus on recovery and prevention:

  • Review security measures: Conduct a thorough audit of your cybersecurity practices and implement improvements, such as:
    • Upgrading firewalls and encryption
    • Training staff on cyber security measures and data protection best practices
    • Regularly testing and updating systems to prevent vulnerabilities.
  • Support affected individuals: Continue offering assistance and updates to those impacted, reinforcing trust in your organisation
  • Learn from the incident: Hold a post-incident review to understand what went wrong and refine your incident response plan accordingly.

8.Maintain transparency and accountability

Throughout the process, maintain open communication with stakeholders, including employees, donors, and beneficiaries:

  • Reassure stakeholders: Emphasise the steps taken to address the breach and prevent future incidents
  • Show accountability: Acknowledge responsibility where appropriate and demonstrate your commitment to data protection
  • Public relations strategy: Prepare a statement for the press or social media, ensuring it aligns with your legal obligations and the facts of the case.

9.Prepare for ICO follow-up

The ICO will usually follow up with inquiries or require additional information. Be prepared to:

  • Provide evidence of the steps taken to manage the breach and the timetable of any remaining steps, even if you are still investigating and have not communicated with all data subjects affected
  • Show documentation of your compliance with GDPR, including policies, training records, and audit trails
  • Address any recommendations or enforcement actions from the ICO.

Final thoughts

A cyber-attack can be a terrifying experience, particularly for charities and other not for profits including educational organisations that rely on public trust and goodwill. By responding swiftly, transparently, and in compliance with GDPR, your organisation can mitigate harm, support affected individuals, and restore confidence. While prevention is the best form of defence, having a clear incident response plan ensures that you are prepared should the worst happen.

We are here to help if you are ever unfortunate enough to suffer a cyber-attack.

Heathervale House reception

Keep up to date with our newsletters and events

icon_bluestone98