If your organisation suffers a data breach, you must act quickly. The GDPR (General Data Protection Regulation) gives you 72 hours to report serious incidents, during which time you must investigate the source of the breach, document your findings and disclose other relevant details.
Although you aren’t expected to provide a comprehensive review of what happened at this stage, the UK’s data protection authority, the ICO (Information Commissioner’s Office) will expect certain details.
As such, you must have a plan for when disaster strikes and ensure that everyone in your organisation knows what to do. This will help you meet your notification requirements and enable business to continue as uninterrupted as possible.
Time is money
An effective breach notification process not only helps you meet your GDPR requirements but also protects the overall health of your organisation. Studies have repeatedly shown that the faster an organisation can respond to a breach, the smaller the costs will be.
This includes money lost due to business disruption as well as customer churn following reputational damage. Additionally, you can demonstrate to the regulator that you take data protection seriously by implementing a formal breach notification process.
The first step is to identify the scale of the breach.
That means finding out the types of personal data involved (names, email addresses, financial records, etc.) and the number of records that have been compromised.
Next, you must identify how your data was exposed and isolate the affected areas. Once this has been done, you should implement your business continuity plan. This ensures that your business-critical functions continue to operate during the disruption.
Simplify your notification process with our Retained Data Breach Management Service.
This annual package gives you peace of mind knowing that when a breach occurs, your incident response and notification requirements will be dealt with by experts.
Our team of consultants will help you respond to the breach quickly and in line with the GDPR’s 72-hour reporting requirement, allowing you to continue running your business with minimal disruption.
Does the breach need to be reported?
With the data breach now under control, you can assess the damage and work out whether you need to notify the ICO and affected individuals.
Data breaches must be reported to the ICO if they “pose a risk to the rights and freedoms of natural living persons” and to individuals if they pose a “high risk”.
In this context, risk refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses.
If you believe the breach meets that threshold, you must complete a report containing the following information:
- Situational analysis: Provide as much context as possible, including the initial damage (what happened), how it affected your organisation (what went wrong) and what caused it (how it happened).
- Assessment of affected data: Determine the categories of personal data and the number of records concerned.
- Description of the impact: Describe the consequences of the breach for affected parties. This will depend on the information that was compromised.
- Report on staff training and awareness: If the breach was a result of human error, did the employee(s) involved receive data protection training in the past two years? Provide details of your staff awareness training programme.
- Preventive measures and actions: What measures did you have in place before the breach to prevent incidents like this from occurring? What steps have you taken, or do you plan to take, to mitigate the damage?
- Oversight: Provide the contact details of your DPO (data protection officer) or the person responsible for data protection.
The rules for notifying affected individuals are less prescriptive. Organisations are advised to issue a public statement informing them of the incident and the affected information.
However, organisations often take extra steps, such as setting up a web page or helpline that individuals can use to find out more and have their questions answered.
It’s worth adding that the GDPR requires organisations to keep a record of all personal data breaches. As such, even if a security incident doesn’t meet the Regulation’s notification requirements, you should document your findings for internal use.
Data breaches – before and after they occur
You can learn more about preparing for and responding to data breaches with GRCI Law’s latest webinar.
Data breaches – before and after they occur takes place on Thursday, 17 March 2022 from 3:00 pm.
Cyber Incident Responder Cliff Martin and Operations Director John Potts will discuss the measures you can adopt to prevent data breaches, and what you can do following a security incident to minimise losses.
The 45-minute presentation will cover:
- The types of data breaches organisations face in today’s cyber landscape;
- The data breach processes organisations should implement to minimise risk;
- What your organisation should do to prepare for a data breach;
- What happens once a data breach is identified; and
- Practical solutions to handle data breaches.