GDPR – Data Breach requirements and notification regimes
Recent high-profile data breaches demonstrate how critical it is to be ready to handle a breach. Advance planning will ensure you have a clear strategy focused on protecting and informing your customers. A detailed plan could minimise damage to your organisation’s reputation.
The EU General Data Protection Regulation (GDPR) imposes a data breach regime on all data controllers and processors handling personal data. This requires organisations to ensure data is adequately protected against loss, theft, unauthorised access etc. Data processors are obliged to report personal data breaches to controllers, and in turn controllers need to be prepared to comply with the personal data breach notification rules.
These require the following:
– The reporting of significant breaches to the supervisory authority within 72 hours
– Informing of individuals of a breach, if it is likely to result in a high privacy risk for them
– The maintenance of an internal data breach register
The risk of non-compliance could see companies facing substantial fines. Information Commissioner Elizabeth Denham says, “Organisations should be aware that the ICO will have the ability to issue fines for failing to notify and failing to notify in time. It is important that organisations that systematically fail to comply with the law or completely disregard it, particularly when the public are exposed to significant data privacy risks, know that we have that sanction available. Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR.”
As well as the risk of fines, organisations face the cost of rectifying any issues, compensation claims and potential damage to brand reputation. A data breach could cause loss of trust, customers, clients and revenue, all of which may be tough to claw back.
What constitutes a data breach?
A personal data breach is about more than just losing personal data. It means a breach of security which leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Some of the ways you could suffer a breach are:
• Weak / stolen credentials e.g. passwords
• Lost / stolen devices
• Systems and application vulnerabilities
• Malware attacks
• Insider threats
• User error
Cyber-crime and hackers present an ever-present threat to organisations. While effectively ensuring your defences against these types of attacks is critical, many data breaches are caused by human error. Loss of paperwork, data sent to the wrong recipients, insecure disposal of hardware, loss of unencrypted devices and failure to redact are all avoidable.
Training staff in understanding the importance of protecting personal data, and how they personally could cause a breach, is essential. Armed with a good understanding of the risks, staff can also perform a critical role in identifying breaches quickly once they’ve occurred.
When you need to notify breach?
Mandatory reporting of all data breaches is not required. Under the GDPR you need to notify your relevant supervisory authority (the Information Commissioner’s Office in the UK) where you have suffered a breach which is likely to result in a risk to the rights and freedoms of individuals. You must consider, if left unaddressed, whether the breach is likely to have a significant detrimental effect on individuals. Could the breach result in discrimination, reputational damage, financial loss or cause any other economic or social disadvantage?
Each data breach will need to be assessed on a case by case basis. If your organisation judges that the breach is unlikely to pose a risk to people’s rights and freedoms, you don’t have to report it.
You are also required to notify the individuals affected directly, if a data breach is likely to result in a “high risk” to the rights and freedoms of individuals. For example, are at high risk of having their identity stolen, their bank details used or sensitive data relating to health issues has been breached?
What should be included in a notification?
If you assess that a breach requires notification you must include the following information when information the regulator:
a) A description of the personal data breach, including where possible, the number and categories of individual and personal data records affected;
b) Contact details for your DPO or if you do not have a DPO a contact point
c) A description of the likely consequences of the breach;
d) A description of how you propose to address the breach, including any mitigation efforts
The GDPR says that where all details are not available, these can be provided at a later stage. This allows for a phased approach. In a recent blog the UK Information Commissioner, Elizabeth Denham says, “The ICO will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident – but we will want to know the potential scope and the cause of the breach, mitigation actions you plan to take, and how you plan to address the problem.”
However, notification within such a tight time-frame will undoubtedly prove a challenge, especially if details of the breach are still being discovered and plans are still being formulated as to the best remedial action to take. Organisations will need to carefully consider what they include in their initial notification, while trying to ensure they are as transparent as possible.
Why you need a Data Breach Plan?
Data controllers and processors are obliged under the GDPR’s accountability principle to develop or update their internal data breach notification procedures. This should include ensuring you have incident identification systems and response plans, which should be regularly tested and reviewed.
As well as working with your IT/IS teams to ensure appropriate technical and organisational protections are in place, it’s strongly advisable to ensure you have documented procedures in place requiring suppliers to proactively notify you of breaches.
What measures can you take to ensure you are prepared for a Data Breach?
Transparency and putting the customer first should be at the core of any plan. Here are some key aspects to consider when preparing your Data Incident Plan;
Assessment – identify areas where your organisation is potentially at risk. Develop and implement measures to minimise these risks
Evaluation – how bad could it be? how much personal data do you hold, and of what type? Particular care should be taken if you process Special Categories of Data (i.e. sensitive data). What harm could come to individuals if it was lost?
Team – pre-assign a Data Incident Team, ensuring any breach can be communicated to the team swiftly. This could include anyone who might be involved in an aspect of your assessment, rectification and communication of a breach – from IT to PR
Communication – develop a customer-focused communication strategy. Concentrating on how you will communicate with your customers is key but you also need to consider what you will say to the media, partners and clients. A joined-up plan with a clear message is crucial
Resources – ensure there is spare capacity and budget to handle a breach
Outsourcing – consider whether you will need outside help
Well-publicised data breach cases, have demonstrated how many organisations get their communication strategy wrong, leading to widespread criticism and reputational damage. It is therefore worth deciding in advance who will be the public face of your breach. Who will be responsible for speaking directly to the media and are they suitably equipped to do so? Media training may prove a valuable investment.
Testing your plan can prove invaluable
“No battle plan survives first contact with the enemy” (Helmuth von Moltke)
Testing plans and procedures will help to iron out any potential pitfalls. In many cases your staff may also be your customers: test your plan on your staff and get invaluable feedback in the process.
Key steps to take when a data breach has occurred
When a data breach has occurred, the first steps should be to assemble your Data Breach Team and apply your customer-focused communication strategy.
6 keys steps for handling a data breach
1. Investigation – swiftly and comprehensively gather the facts of what happened
2. Assessment – does a website need to be taken down? Are customers at risk? Do they need to be informed?
3. Rectification – how quickly can the ‘problem’ be fixed? Implement measures to ensure it can’t happen again or reduce the risk of it happening again
4. Communication – what should you tell customers? Honesty and transparency will be valued, but equally it might be defensible not to inform customers, if the risk is minimal
5. Notification – consider whether the breach is significant enough to require notification – if so you will need to notify the regulator within 72 hours
6. Recording – keep a record of all actions and decisions taken. This is crucial in the event of requlatory activity/audit or litigation
The GDPR makes it clear data controllers and their processors will be held to account for data breaches. All organisations need to be prepared to handle breaches and to try and minimise the impact both on the individuals affected and on their own reputation.
If you would like further advice contact the data compliance and marketing permissions consultancy Opt-4. Email: firstname.lastname@example.org Telephone: 0208 434 3596
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.