It’s time to discuss one of the horrible truths of data protection and cybersecurity. This is that breaches will happen, no matter how many steps and procedures you put in place to avoid them. This is because systems are designed, built and run by people and people are not flawless. People make mistakes and this can lead to a data breach.This is why, no matter how strong your data protection policy is, you need a plan of action just in case the dreaded incident happens and your company suffers from a data breach. The implications of a breach go far beyond a potential GDPR fine and extend into serious reputational damage for your business. Your main concern shouldn’t be the legal implications, but the potential consequences for your business. Whilst GDPR compliance often focuses on the threat of huge fines that can result from a breach and preventing the breach. Less commonly discussed and equally important are the the steps that must be taken when a breach occurs.The best way to prepare for a data security breach is to accept it as an inevitability and plan accordingly. No matter how many security protocols and steps you put in place, there is always the chance that someone will get around your systems or (more likely) that someone in your team will make a mistake and a breach will occur.
Since the GDPR came into law with the UK’s Data Protection Act of 2018, there has been considerable noise about what it means for businesses. In reality, things are still evolving and we don’t fully know yet. The true consequences of the GDPR will be determined by case law, which will take several years to emerge. The Information Commissioner’s Office (ICO) in the UK is still finding its feet when it comes to enforcing compliance and is taking a relatively slow approach when it comes to sanctioning companies.For this reason, it’s important to see the GDPR as a framework that can help you get you get adequate data security protection and mitigation measures in place.
Your Legal Obligations
After a breach occurs, you have 72 hours to inform the relevant GDPR regulator in the country where the breach took place. In the UK, this means the ICO. The ICO has devel self-assessment tool to help companies determine whether the breach t is reportable or not.
Putting Together Your Plan
What the ICO doesn’t provide is a plan for dealing with a data breach. If you don’t have one, then you should start to make one now. The last thing that you want to be doing when you are dealing with the reputational fallout that accompanies a data breach is working out the practical steps that you need to take.If you can assign distinct responsibilities to everyone on your team and make it clear to them what they are it will save time in mitigating the impact of the breach. If members of your team already use an existing agile methodology or something similar then use this framework for your GDPR response plan.Remember there are a number of steps that you are required to take by law in the event of a data breach:
- Determine if you must inform the regulatory authority and do so if required.
- Ensure that the breach is repaired and no further information can be compromised.
- Determine if you must inform your customers and do so if required.
How to Inform Your Customers
You are legally obliged to inform anyone impacted by a data breach if the breach is likely to result in a ‘risk to their rights or freedoms’. There is not yet any case law that gives a more specific definition of this but it’s generally taken to be a function of the sensitivity of the personal data that was breached, so if medical or tax records were disclosed you would want to inform the impacted individuals. While it is clear you must inform the individuals the law but does not prescribe a course of action, leaving it up to companies to determine how much detail their customers need to know. Case law may change this in the future but, for now, it’s most important to draw out your own approach in advance.
People across a company have a habit of going to ground when this type of data breach incident takes place. While the chances are that you will be incredibly busy mitigating the breach, this doesn’t mean that you should avoid communicating internally about what has happened and the steps that you are taking to fix things.Industries which have been dealing with security incidents have developed robust approaches to ensure lessons are learned from failures. For example the civil aviation industry has a ‘no blame‘ culture which is designed to ensure that lessons are learned from mistakes and all parties are honest with investigators.Managing data breaches can be difficult and it’s still essential to do everything you can to avoid a breach, but it’s also important you have a culture that allows people to report them when they occur.To make sure you have processes in place not only to protect breaches, but also to react effectively when they do occur, book a demo with one of our GDPR experts to see how Relentless GDPR 24/7 can help.