GDPR Data Breaches Your Guide

GDPR Data Breaches Your Guide

It’s time to discuss one of the horrible truths of data protection and cybersecurity. This is that breaches will happen, no matter how many steps and procedures you put in place to avoid them. This is because systems are designed, built and run by people and people are not flawless. People make mistakes and this can lead to a data breach.This is why, no matter how strong your data protection policy is, you need a plan of action just in case the dreaded incident happens and your company suffers from a data breach. The implications of a breach go far beyond a potential GDPR fine and extend into serious reputational damage for your business. Your main concern shouldn’t be the legal implications, but the potential consequences for your business. Whilst GDPR compliance often focuses on the threat of huge fines that can result from a breach and preventing the breach. Less commonly discussed and equally important are the the steps that must be taken when a breach occurs.The best way to prepare for a data security breach is to accept it as an inevitability and plan accordingly. No matter how many security protocols and steps you put in place, there is always the chance that someone will get around your systems or (more likely) that someone in your team will make a mistake and a breach will occur.


The Background


Since the GDPR came into law with the UK’s Data Protection Act of 2018, there has been considerable noise about what it means for businesses. In reality, things are still evolving and we don’t fully know yet. The true consequences of the GDPR will be determined by case law, which will take several years to emerge. The Information Commissioner’s Office (ICO) in the UK is still finding its feet when it comes to enforcing compliance and is taking a relatively slow approach when it comes to sanctioning companies.For this reason, it’s important to see the GDPR as a framework that can help you get you get adequate data security protection and mitigation measures in place.


Your Legal Obligations


After a breach occurs, you have 72 hours to inform the relevant GDPR regulator in the country where the breach took place. In the UK, this means the ICO. The ICO has devel self-assessment tool to help companies determine whether the breach t is reportable or not.


Putting Together Your Plan


What the ICO doesn’t provide is a plan for dealing with a data breach. If you don’t have one, then you should start to make one now. The last thing that you want to be doing when you are dealing with the reputational fallout that accompanies a data breach is working out the practical steps that you need to take.If you can assign distinct responsibilities to everyone on your team and make it clear to them what they are it will save time in mitigating the impact of the breach. If members of your team already use an existing agile methodology or something similar then use this framework for your GDPR response plan.Remember there are a number of steps that you are required to take by law in the event of a data breach:

  • Determine if you must inform the regulatory authority and do so if required.
  • Ensure that the breach is repaired and no further information can be compromised.
  • Determine if you must inform your customers and do so if required.


How to Inform Your Customers


You are legally obliged to inform anyone impacted by a data breach if the breach is likely to result in a ‘risk to their rights or freedoms’. There is not yet any case law that gives a more specific definition of this but it’s generally taken to be a function of the sensitivity of the personal data that was breached, so if medical or tax records were disclosed you would want to inform the impacted individuals. While it is clear you must inform the individuals the law but does not prescribe a course of action, leaving it up to companies to determine how much detail their customers need to know. Case law may change this in the future but, for now, it’s most important to draw out your own approach in advance.


Communicate Internally


People across a company have a habit of going to ground when this type of data breach incident takes place. While the chances are that you will be incredibly busy mitigating the breach, this doesn’t mean that you should avoid communicating internally about what has happened and the steps that you are taking to fix things.Industries which have been dealing with security incidents have developed robust approaches to ensure lessons are learned from failures. For example the civil aviation industry has a ‘no blame‘ culture which is designed to ensure that lessons are learned from mistakes and all parties are honest with investigators.Managing data breaches can be difficult and it’s still essential to do everything you can to avoid a breach, but it’s also important you have a culture that allows people to report them when they occur.To make sure you have processes in place not only to protect breaches, but also to react effectively when they do occur, book a demo with one of our GDPR experts to see how Relentless GDPR 24/7 can help.

Relentless Services Enquiry


5 + 5 =

Global Data Privacy and Cyber Security a Proactive Alliance

Global Data Privacy and Cyber Security a Proactive Alliance

New laws are taking effect across the globe to regulate the collection, use, retention, disclosure and disposal of personal information. At the same time, the rate of cyber attacks, data breaches and unauthorised use of personal data is growing exponentially.

In the current environment, it is more important than ever, particularly for those organisations handling financial data, health information and other personally identifiable information, to understand the rights and obligations of individuals and organisations with respect to personal information.

Our latest article provides an overview of some of the new data privacy laws, rules and regulations that are, or soon will be, in effect, outlines cyber security and data protection best practices and compliance programmes to help organisations comply with the evolving new data privacy requirements, and touches on the role of new technologies in mitigating risks and supporting compliance.

The exponential evolving data privacy regulatory space


The European Union’s enforcement of the Global Data Protection Regulation (GDPR) commenced way back  on 25 May 2018, and came with  sweeping changes in the privacy and data security policies for the vast majority of companies operating, not only in the EU, but across the globe.

The provisions of the GDPR that are important for all companies to take note of include the requirement for explicit and informed consent for collecting personal data and mechanisms to withdraw such consent, breach notifications, the right to access all data that a company has collected, and the right to be forgotten through the erasure and cessation of the dissemination of data. Penalties for breach of the GDPR are steep  of course – up to 4 percent of annual global turnover or €20m, whichever is greater.

The regulatory environment in the US comprises a somewhat convoluted, patchwork system of federal and state laws governing privacy and data security concerns that is continuing to evolve to try to address the rash of data breaches and unauthorised use of personal data that are occurring with ever-increasing frequency.

All 50 states, as well as the District of Columbia, Puerto Rico and the US Virgin Islands enacted laws requiring notification of security breaches involving personal information. Companies can face both civil and criminal penalties for a data breach of sensitive information, and some state and federal laws provide the right for individual citizens to file class action lawsuits for privacy violations. Massive class action lawsuits, like the 2013 Target data breach litigation and the currently pending 2017 Equifax data breach litigation, highlight the significant risks that companies face in the wake of a cyber security attack or as a consequence of either not having best practices and compliance programmes in place or simply not following them.


Importance of cyber security and data protection best practices.


The stakes have never been greater than they are right now with respect to the collection, use, retention, disclosure and disposal of personal information. With the present regulatory framework and knowledge of where it is heading, companies can expect to continue to face rising costs and escalating risks associated with their privacy and data security practices.

A number of resources are available that can provide guidance and assistance with addressing privacy and data security practices, as well as to ensure that the practices and programmes implemented are compliant with relevant laws and regulations. The EU and some US Federal agencies, including the Federal Trade Commission (FTC) and the National Institute of Standards and Technology (NIST), have been promulgating updated guidelines and recommendations for privacy and data security best practices in a variety of industries, including some of the newer Internet of Things and peer platform (sharing economy) marketplaces. Additionally, several industry groups have adopted self-regulatory programmes and rules, including certification programmes, to which a company can voluntarily abide.

In view of these guidelines and others, companies are further encouraged to establish internal policies and procedures to ensure compliance. Business policies may include a top-level information security and privacy policy, which expresses a commitment to data security and privacy from the top-level officers of a company, a risk management programme, an acceptable use policy, access compartmentalisation, communications monitoring, breach reporting, a document retention policy and outsourcing policies. Technical policies may include a variety of commitments to technical controls to ensure the protection of data, including encryption, passwords, authentication protocols, disaster recover, intrusion detection, physical security, patching and the like.

For companies with a public-facing website, website privacy policies are a must. Additionally, a written incident response plan is critical for establishing protocols for initiating a response team, assessing data breach activity, containing the data breach, and providing guidelines for including other parties, such as law enforcement and officials that require notification under data breach laws. Further, a company must continue to audit and maintain certification as necessary to ensure that their policies and procedures are enforced and remain current. A variety of enterprise privacy management software and compliance solutions may be used internally to help companies audit their systems.


Privacy and data security must form part of the conversation when utilising new technology


While it may be easier said than done to implement new policies and best practices, companies are faced with the additional challenges of evaluating and deploying new technologies that simultaneously may both hinder and help with compliance in view of the new privacy and data security regulations. For example, block-chain technology offers significant advantages for a wide variety of applications from a data security perspective, offering the ability to record transactions in a decentralised and immutable fashion. However, these same technological principles may raise complex issues when looking at compliance with new privacy regulations. For example, in connection with the “right to be forgotten” under the GDPR, how is a subject’s personal information to be erased from an immutable and fully-distributed block-chain? A variety of solutions have been proposed to provide for greater control and management of information with block-chain, including anonymous transactions and voting systems, secret contracts and blind auctions, but they will have to be evaluated in view of the evolving regulatory framework.

Artificial intelligence (AI), and specifically machine learning (ML) techniques, are now widely employed to enable computers to learn and adapt to new input. Such AI technology can be used in cyber security systems to provide automated processes for the identification of new threats and the implementation of technology controls and protection. On the flip-side, hackers have also started to weaponise AI, creating programmes that can study systems, evaluate vulnerabilities or even create persuasive phishing schemes based on the behavior of social networks. AI applications may also raise privacy issues, especially given the large volume of data required to build a model and the often ‘black box’ lack of transparency behind the logic used by AI agents to arrive at a decision about a person.

New outward-facing tools and platforms have also been developed in order to allow users to control how their data is being used. For example, Facebook recently released a set of privacy tools, including a unified privacy dashboard, and has announced the launch of a new clear history tool. Such tools cannot be overlooked, as they may be essential for compliance with the new privacy regulations, such as data portability, right to be forgotten, and withdrawal of consent of the collection of personal data.




Recognition of the new and evolving international privacy and security regulations is a requirement, especially in view of the threat of increasing liability and risk with statutory penalties and class action lawsuits. Implementing a compliance programme with a set of best practices for privacy and data security will surely help mitigate these risks, but it is a continuing process, especially as companies face new hurdles when rolling out new systems and technologies.

This is particularly true where newer technologies, such as block-chain and AI, are incorporated into systems in a manner that simultaneously offers important contributions to security and privacy while exposing new vulnerabilities and concerns. Thus, companies may be well-served by a privacy by design approach that promotes privacy and data security compliance from the start in order to mitigate risk down the road.


Find out More

Three Key Compliance progressions for 2019/2020

Three Key Compliance progressions for 2019/2020

How is compliance faring in 2019 and what is in store for 2020


2019 has been a complex year for compliance. Regulations are continuing to evolve and meeting those compliance requirements are proving to be a challenge. However, companies that are dealing effectively with data compliance are seeing benefits in their day-to-day business operations. They are avoiding costly fines thus keeping negative brand damaging headlines at bay. Here we discuss the three biggest compliance trends in 2019/2020.


Data Privacy Will Prioritise Consumers and the Organisation


While data protection and data privacy are popular subjects nowadays, they have only become real factors in the last few years. And within those few years, the goal of data privacy has changed significantly. Originally, the priority was protecting investors and executives, since they could be on the hook if one of their investments was found to have mishandled financial or consumer data. But as consumers have become increasingly knowledgeable and concerned about how their data is collected and used, they have started to become a greater concern.

Joined at the hip with this is the rise of data privacy legislation and frameworks. Between international regulations like GDPR, sector- or industry-specific compliance frameworks like NIST or HIPAA and region wide  legislation like the Consumer Privacy Act introduced by California in 2018 (becoming law in January 2020), most organisations processing consumer data have to comply with some type of regulation whilst global organisations have to meet a myriad of data privacy acts.

So why are consumer knowledge and regulations impacting data privacy prioritisation so strongly? Reputation and monetary hits. I have yet to find a company who wants to announce to the world that it just had a data breach and allowed all its customer data to be exposed to hackers. Consumers will lose trust in the organization and may even leave it for a competitor. In addition to the brand damage, it also means a loss in profit and a distraction for the organization. And with the potential fees and settlements the company may have to pay as a result of the breach, that’s even more money lost which could have been spent enhancing the brand. Even a small breach of consumer data could take years to recover from.

Therefore, organisations must take consumer and organisational data privacy more seriously than ever before. The best ones will do two key things:



Implement new initiatives to ensure consumer data is considered during the business development process.


GDPR PrinciplesThere is a pressure here; there is always the possibility that new data privacy regulations overreach to the point where companies miss out on new growth opportunities due to their efforts at compliance. But when data privacy is done right, it is possible to protect consumer data while still growing the business.




Train internal end users around data privacy.



Whether those employees are in support, marketing, sales or engineering (amongst other historically non-customer-facing departments), these training courses are designed to help them understand exactly what they can and cannot do with customer data and how to avoid a catastrophic incident. Employees are a company’s first line of defence, and if they aren’t familiar with basic security best practices, hackers are sure to infiltrate the organization. Large numbers of breaches post 25th May 2018 were caused by internal mistakes from employees.


GDPR Will Remain Enigmatic


The initial surge of attention and scaremongering had everyone in panic mode over GDPR. There were so many unknowns about the new regulation, and no one wanted to be caught off guard. This helped raise the profile of compliance teams, as every organization put its best foot forward to make sure it was doing what it needed to do. In a sense, GDPR was the catalyst that the compliance world needed.

Since GDPR became law, that worldwide panic has steadily decreased in the UK and EU whilst in other regions of the world countries have been enacting their own Data Privacy laws. And while, on the one hand, it’s nice that organisations don’t feel as alarmed as they used to, on the other hand, the decrease is likely because of the ambiguity that still surrounds GDPR declarations. Just over 18 months after the regulation went into effect, organisations are still confused about its practical application, attestation practices and whether they’re compliant. This confusion likely persists because we have only recently seen the major threat of GDPR truly come to fruition with the devastating fines that were predicted widely before the act came into law.


The C-Suite Will Form Alliances and Work Together for Compliance


CISOs, CIOs and even CEOs are feeling the heat in the new regulatory environment, and this is getting everyone on the same page. C-suite executives are finally realising that compliance is not a part-time job that can be allocated to an employee as an extra task and that there must be a solid consistent investment in compliance to satisfy requirements and gain value from it.

An example of this is, the New York State Department of Financial Services introducing several new cybersecurity regulations that applied to financial companies doing business in New York. One of the regulations states that these companies must appoint a CISO. Furthermore, this officer must report directly to the board of directors and issue an annual report highlighting the company’s cybersecurity compliance and identifying risks for potential breaches.

Another positive is that all the various frameworks and regulations have vastly increased collaboration among organisations’ teams. All things considered; this is good news for most organisations. The effort to achieve compliance builds cross-organisational alliances. This trend is especially prevalent between CIO and CISO departments. Historically, these two have had differing goals, but regulations like GDPR are forcing these departments to become interdependent.

This is shaping up to be a period for compliance. More conversations about compliance are taking place inside and outside organisations — and more companies are reaching out to technology vendors to make compliance easier on them. Compliance may not be the coolest tech topic in 2019 / 2020, but at the rate fresh ideas are emerging and innovation is taking place, compliance will certainly have a bright future and play a prominent role in business for many years to come.