Herbert Smith Freehills' (HSF) in-house cybersecurity team has built and developed a new tech platform to help clients respond quickly in the aftermath of a data breach.

The new offering has already been trialled on a number of personal data breaches, demonstrating significant cost savings.

Under new General Data Protection Regulation (GDPR) rules, once an organisation has established that a personal data breach has occurred, it must report the scale of the leak to the Information Commissioner's Office (ICO) within 72 hours, while it may also be required to inform affected individuals.

These requirements are particularly challenging when organisations face sifting through massive volumes of unstructured data.

HSF global cybersecurity head Andrew Moir, who took a lead role on the project, explained: "A client could be in a situation where they have thousands of emails which have been breached, and you don't immediately know what's in them and who they relate to. Historically, you'd do a manual review with teams of lawyers itemising the personal data within the documents. It can be very time consuming, and we thought there must be a better way to do it. This is a way into the data, and gives you the visibility upfront you wouldn't have otherwise."

The platform is trained to pick out personal data from the breached information sources – for example documents, emails or spreadsheets – and can then link that personal data back to the person affected. The tool can also create automatic distribution lists so that the client can notify the individuals directly.

The software can also provide demographics of the breach, which will help the organisation assess what international regulatory regimes will apply.

According to Moir: "In some cases where we've used this tool, we've actually avoided doing a significant review of the underlying materials at all. When there's no review or a very targeted review, the cost can be of the order of 10%-20%. It depends how much data there is – the economies of scale are greater for larger breaches. In a matter we did recently – a medium-size breach with over a hundred gigabytes of data – the costs associated were about 20%."

Because the software can also identify documents that contain the most significant personal data, any manual review which is considered necessary – for example on a high-profile breach attracting more attention from regulators – will be of fewer documents and take far less time. Moir says the cost can still be less than half of a manual review.

In creating the platform, Moir said the cybersecurity team cut development time and avoided complex processes that come with outsourcing development and testing, due to the fact that lawyers in the team have coding skills. This project used a combination of programming languages C# and SQL.

He added: "It took us a little while to turn the idea into a reality, but we also needed to develop the process around it. It needs to be defensible, and for any given breach the regulator will need to be satisfied that it's an appropriate way to proceed. We've used it in matters already and as long as you're in a position to justify your approach when the time comes, you should be fine with the ICO."

Moir has previously written software to help settle ownership disputes for financial algorithms, and has also developed a number of home-automation apps that are on sale in the Google Play store: "I've been coding since I was knee-high – I was part of the generation that grew up with a computer. The difference with me is that I've maintained it. When I decided to be a lawyer, I didn't stop doing it."