Managing data breaches in a GDPR world
AMONG the many changes the General Data Protection Regulation (GDPR) introduced, and one of the biggest concerns for many organisations, is the requirement for mandatory reporting relating to a data breach.
Since the GDPR came into effect on May 25, Article 33 of the regulation, mandates that “the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority”.
Reacting in such a short time frame calls for a robust response plan.
Unfortunately, experience to date suggests such plans tend to be conspicuously absent and many organisations seem to try to muddle through handling a breach rather than having a prescribed and structured plan.
Good preparation will be the key element in how successful your data breach response is.
Key to such preparation is ensuring that all the necessary processes and procedures are properly documented and that these are communicated to the right people.
Regular testing of these processes and procedures is important to determine whether they are up to date and correct, and that people are familiar with them.
An effective way to test the efficiency of your response plans is to run regular exercises or breach simulations.
These can identify weaknesses in your plans before they are tested in the heat of a real breach.
Becoming aware of the data breach as early as possible is critical to minimise its impact.
Effective alerting mechanisms are vital because they can provide the information a response team needs to react appropriately to a breach.
The 72-hour reporting window means that you don’t need detailed forensic analysis to start with. That can happen at a later stage.
Traditionally, the responsibility for data breach response often falls solely – and unfairly – on the shoulders of the IT department.
However, organisations need to remember that data security, and data breaches, are not the sole realm of the IT department but must involve the whole business.
After all, a data breach is primarily a business risk and a business issue rather than being the sole realm of the IT team.
It is also important to remember that GDPR applies to physical information and not just data on IT systems, which is another reason the whole business must be involved in developing and implementing an effective data-breach response plan.
An effective data breach response team should include representatives from key parts of the business such as Information Security, IT, Data Protection or Privacy team, Human Resources, Legal, and Public Relations.
The Data Protection or Privacy team are key to handling a personal data breach as they can help determine the impact the breach has on the personal data and the individuals involved.
This determination will be key in shaping how the response to the breach should proceed.
The Human Resources team plays an important role. Should the data breach be the result of an internal breach, the organisation may need to discipline a member of staff.
Recovering from a data breach often creates a fraught, high-pressure environment, particularly given the 72 hours window mandated by GDPR within which to report the breach.
In this type of scenario, HR plays a vital role by supporting those employees involved in responding to the data breach and helping them deal with the stress and pressures involved during a data breach.
Too often, after suffering a data breach, organisations fall back on stock answers like describing “a sophisticated breach” or “we take security seriously” when there’s little evidence to support those claims.
The sophisticated breach can in time turn out to be the result of something trivial, undermining the above claims and the credibility of those making them.
Having a public relations expert on the team and a supporting PR strategy, together with media training for key members of staff, will ensure public statements to various stakeholders such as media, the public, staff, and customers are consistent, timely and truthful.
An effective breach response plan is key to quickly identifying and remediating the cause of a breach but also is essential that in the event of a breach the breach response plan isn’t simply reputation management.
Today it is accepted that most organisations will suffer a data breach of some sort.
Therefore, it will not be a case that you’ve had a security breach which will damage your brand, it’s how well you respond to it.
Reacting in such a short time frame calls for a robust plan