How to handle data breaches according to the GDPR

Under the GDPR (General Data Protection Regulation), organisations must report certain types of data breach within 72 hours of becoming aware of them.

As such, when an incident occurs, security teams must work quickly to investigate the breach, document their findings and disclose the necessary information to the ICO (Information Commissioner’s Office).

In this blog, we provide a step-by-step guide on how to handle a data breach, from detecting that something’s wrong and reporting it, to repairing the damage and getting back to business.

First, let’s explain when you are required to complete this process.

Not all data breaches must be disclosed

There is a misconception that every security incident you suffer must be disclosed. In fact, breaches only need to be reported if they pose a risk to individuals’ rights and freedoms.

This refers to the possibility of affected individuals facing economic damage (for example, fraud), social damage (such as discrimination) or reputational damage (if sensitive information, such as health records, are made available to third parties).

If you suspect that the breached information could result in one of those things, you must report it.

Of course, you won’t immediately know whether that’s the case, so you must always complete the first few steps of the process to evaluate the nature and severity of the incident.

How to respond to a data breach

Organisations need a data breach response plan to ensure that the necessary steps are completed promptly and in order.

GRCI Law’s Data Breach Survival Guide helps organisations do this, providing a comprehensive walkthrough of incident response.

Below is a summary, but you can download the free guide to find out more.

  • Detect

The first, and often hardest, part of incident response is learning when something is wrong. It often takes organisations months to realise that they’ve been breached, during which time the damage can escalate.

Organisations should prioritise incident detection tools, such as automated monitoring and data seeding. They should also consider technologies that flag suspicious activity on employee accounts – with one of the main concerns being logins from unusual locations.

  • Triage

Next, you need to identify whether it’s a genuine breach or a false alarm. Many incidents that you detect may not have put data in danger – for example, if an unauthorised person unsuccessfully attempts to break into an employee’s system.

However, if you believe there is a genuine threat, you must determine whether it meets the GDPR’s disclosure requirements. If that’s the case, the next step is to assess the damage and complete your incident reporting obligations.

GRCI Law’s Data Breach Survival Guide provides a flowchart detailing the incident response process.

  • Assess

You’re now subject to the GDPR’s 72-hour incident response deadline, so you must act quickly to determine the extent of the breach and the steps you must take to mitigate further damage.

This includes documenting what data has been compromised, whether any details are considered special categories of personal data, how many data subjects are affected and whether the information was encrypted.

  • Report

You must document your findings in as much detail as possible. You’re not expected to have comprehensive details within the 72-hour deadline, because the ICO understands that it takes time to fully investigate a breach.

But at the very least, you must be able to explain what happened, whose data may be affected and what steps you’ve taken – or will take – to address the incident.

  • Remediate

Now that you understand what you’re dealing with, it’s time to contain the threat.

What exactly that entails will depend on the nature of the breach. For example, you may need to remotely wipe a stolen laptop, take a leaky database offline or disconnect devices from a network infected with ransomware.

Once this is done, you should implement measures to repair the damage, whether that’s by restoring data from backups or patching a vulnerable system, for example.

You should also consider the ways you can repair reputational damage, such as by contacting affected individuals to apologise or by setting up a helpdesk to answer their queries.

  • Recover

The next step is to get back to business. Recovery is about ensuring survival, so you must be sure that your systems can go live again without creating any further damage.

  • Review

Once you’re back up and running, you should take the time to review the incident and your response.

Work out what you can do to prevent similar breaches from happening again and how you might respond differently the next time an incident occurs.

  • Resolve

The final step – which you will come to either after a false alarm or after you’ve dealt with and reviewed the incident – is to mark the breach as resolved.

It’s important to log this information, no matter how serious the damage, because it will help you fine-tune your detection mechanisms and inform future decisions.

More to the point, organisations are required to record every breach, notifiable or not, under the GDPR.

What happens when you report a breach?

When you report a security incident to the ICO, it will either confirm that no further steps are necessary or begin a formal investigation.

An investigation can take several months to complete, given the back-and-forth nature of providing documentation and interviewing employees.

You will no doubt have heard about regulators’ powers to issue multi-million-pound fines, but these are reserved for only the most severe breaches.

In most instances, organisations will be subject to enforcement action and a modest – although still prohibitive – fine, which is typically in the region of €66,000 (about £57,000).

Supervisory authorities are generally more lenient towards organisations that handle their notification requirements responsibly.

We saw that last year, when the DPC (Data Protection Commission) in Ireland issued a €75,000 (about £65,000) fine against Tusla for a series of violations.

Tusla disclosed children’s personal information to authorities on three occasions, but each time reported the incident in a timely fashion and worked with the DPC to investigate the breach.

It demonstrates that prompt notification is an essential part of incident response – both in terms of protecting your reputation and saving you money.

Download our Data Breach Survival Guide

You can find more advice on how to respond to security incidents by downloading our Data Breach Survival Guide.

It will help you:

  • Understand the importance of being prepared for data breaches;
  • Appreciate why preventive, detective and responsive measures are vital;
  • Create an incident response plan; and
  • Understand your notification requirements under the GDPR.