The General Data Protection Regulation (GDPR) not only outlines how personal data must be protected but also how any breaches are to be handled. As a data controller (a party that stores personal data) your business has several key responsibilities – but do you know what they are?

Report the incident

When personal data held by your company is exposed, you must immediately assess the severity of the situation as soon as you become aware of it. You must make a report of the breach to your relevant supervisory authority (the Data Protection Commissioner) within 72 hours of the breach being discovered.

Every incident will need to be reported using the relevant mechanisms for your country. You can find a list of Data Protection Authority contact across Europe here

There is one exemption to this reporting requirement. If you can clearly demonstrate that the breach is “unlikely to result in a risk to the rights and freedoms of natural persons, in accordance with the accountability principle”, no report needs to be filed with the supervising authority but this will need to be documented on your incident report register

Contact affected customers

Once the report has been made to your supervisory authority, your business should seriously consider contacting each affected individual to make them aware of the incident. Indeed, you could be compelled by the Data Commissioner to notify these people. 

Article 34(1) “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” 

By contacting affected individuals early, your business can begin the process of restoring trust immediately. 

Repair the breach

While the relevant parties are being contacted, your technical team should be working to identify the source of the breach. Software needs to be patched, firewall rules updated and any further safeguards implemented to prevent a recurrence of the breach. 

The IT team will also need to contact relevant third-party service providers to advise of the breach. They can then work together to fix vulnerabilities that exist in their hosted infrastructure.  Updating the system as soon as possible after the breach occurs can prevent another breach from happening. 

Doing nothing is not an option – you must act immediately to prevent future data loss events. 

Preparing for the worst

The reality is that data breaches happen on a regular basis. 46% of all UK businesses reported at least one security incident during 2020 for instance.  These breaches are highest among medium (68%) to larger (75%) businesses.  A massive one in five of these breaches is resulting in a material loss with businesses looking for money or data. 

It is essential that your GDPR preparations include the creation of a breach response plan. Similar to a disaster recovery procedure, this plan will map out the exact actions your team needs to take, the order in which they are completed, and the individuals who will oversee each activity. 

You will also need to implement a breach register, allowing you to document the incident. These entries will provide the basis for your communications with the Data Commissioner. For each incident, the register must document “the facts relating to the personal data breach, its effects, and the remedial action taken”. 

Training is key

There is a very high chance that your business will experience some kind of cybersecurity breach at some point in the future. As well as investing heavily in reducing the risk of breach, your business needs to prepare for the worst, ensuring that all stakeholders understand their role in dealing with the aftermath. 

The GDPR is an organization-wide concern. This means departments that to date may not have been concerned about data security as much will have to be trained on what this means. HR teams may need to change how CVs and employee data are shared and secured, marketing and sales should be revising their business development and lead generation funnels while finance should be reviewing supplier and billing data. 

Ensuring your organization is fully aware of the GDPR and training means that not only can certain breaches be avoided, it also means that teams can identify breaches quickly and handle the situation appropriately. 

How to Respond to a Data Protection Breach Under the GDPR

 

Column Header Text Column Header Text Column Header Text

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Performing a review of the media inventories at least annually

Performing a review of the media inventories at least annually

Performing a review of the media inventories at least annually

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Discover More

Advantio_Blog_DNS_Diagram_V1 Image caption goes here. This is HTML text.

Eugenio Bonzi

Written by

I am the Senior Data Protection Consultant in Advantio. I have great experience in ICT and Telco services, where I covered several roles and responsibilities. In the last 10 years, I focused my attention in information security and business continuity compliance.

Schedule a call with an expert