The General Data Protection Regulation (GDPR) not only outlines how personal data must be protected, but also how any breaches are to be handled. As a data controller (a party that stores personal data) your business has several key responsibilities – but do you know what they are?
Report the incident
When personal data held by your company is exposed, you must immediately assess the severity of the situation as soon as you become aware of it. You must make a report of the breach to your relevant supervisory authority (the Data Protection Commissioner) within 72 hours of the breach being discovered.
Every incident will need to be reported using the relevant mechanisms for your country. You can find a list of Data Protection Authority contact across Europe here.
There is one exemption to this reporting requirement. If you can clearly demonstrate that the breach is “unlikely to result in a risk to the rights and freedoms of natural persons, in accordance with the accountability principle”, no report needs to be filed.
Contact affected customers
Once the report has been made to your supervisory authority, your business should seriously consider contacting each affected individual to make them aware of the incident. Indeed, you could be compelled by the Data Commissioner to notify these people.
By contacting affected individuals early, your business can begin the process of restoring trust immediately.
Repair the breach
While the relevant parties are being contacted, your technical team should be working to identify the source of the breach. Software needs to be patched, firewall rules updated and any further safeguards implemented to prevent a recurrence of the breach.
The IT team will also need to contact relevant third party service providers to advise of the breach. They can then work together to fix vulnerabilities that exist in their hosted infrastructure.
Doing nothing is not an option – you must act immediately to prevent future data loss events.
Preparing for the worst
The reality is that data breaches happen on a regular basis. 46% of all UK businesses reported at least one security incident during 2017 for instance.
It is essential that your GDPR preparations include the creation of a breach response plan. Similar to a disaster recovery procedure, this plan will map out the exact actions your team needs to take, the order in which they are completed, and the individuals who will oversee each activity.
You will also need to implement a breach register, allowing you to document the incident. These entries will provide the basis for your communications with the Data Commissioner. For each incident the register must document“the facts relating to the personal data breach, its effects and the remedial action taken”.
Training is key
There is a very high chance that your business will experience some kind of cyber security breach at some point in the future. As well as investing heavily in reducing the risk of breach, your business needs to prepare for the worst, ensuring that all stakeholders understand their role in dealing with the aftermath.
The GDPR is an organisation-wide concern. This means departments that to date may not have been concerned about data security as much will have to be trained on what this means. HR teams may need to change how CVs and employee data is shared and secured, marketing and sales should be revising their business development and lead generation funnels while finance should be reviewing supplier and billing data.
Ensuring your organisation is fully aware of the GDPR and trained means that not only can certain breaches be avoided, it also means that teams can identify breaches quickly and handle the situation appropriately.