What to do in a data breach
While authorities may have been lenient in the first year of GDPR's introduction, organizations should now expect tougher penalties.
On 22 May 2019, the European Commission published an infographic on compliance with and enforcement of the GDPR since it came into effect in May 2018, and it is clear that a lot of work still needs to be done.
In the last month, British Airways has been fined £183 million ($US229.6 million) for failing to protect people's personal data, Marriott International hotel group has been told to pay out just over £99 million ($US124 million) and credit reference agency Equifax has agreed a US$700 million penalty.
With GDPR aiming to give citizens back control of their personal data, organizations need to increase data security measures to comply, including employing multiple encryption methods on-site and in the cloud, guaranteeing strong key management; and verifying the legitimacy of user identities.
But what should an organization do if – despite its best efforts – a data breach occurs?
1. Contain it
As soon as an organization is aware that a data breach has taken place, it should stop any further breach of this data.
2. Report it
Where a breach is likely to pose a risk to the rights and freedoms of those affected, organizations must report it to the relevant authority within 72 hours of becoming aware of it. Because a breach can have a range of effects on individuals, including emotional distress and physical and material damage, each breach should be assessed on a case-by-case basis.
3. Acknowledge it
If the breach is deemed to result in a high risk to individuals' rights and freedoms, those directly affected must be informed as soon as possible, so they can take their own steps to mitigate the effects of the release of their personal data. According to the Information Commissioner's Office (ICO), 'high risk' means the threshold for informing affected individuals is higher than for notifying the authorities.
4. Explain it
When reporting a breach, organizations must provide information on its nature, including:
- The categories of the breach and the number of individuals and personal data records concerned
- The name and contact details of an individual who can provide more information – this is your data protection offer if you have one
- An outline of the likely consequences
- A description of the measures already taken or due to be taken to deal with the breach.
5. Document it
Even if a breach doesn't need to be reported, organizations must record any breach that occurs.
By putting in place detection, investigation, and internal reporting procedures, and having checklists for breach preparation and response, businesses will have the information required to make decisions about reporting – within and outside of the organization – and be able to respond to a data breach as set out by the GDPR.
Related contents:
- World's biggest data breaches
- Voice assistants and security
- Securing the smart grid
- 48% of businesses cannot detect IoT breaches.
- Most organizations not confident in their ability to protect data after a breach
- Biometric data and EU and US personal data protection frameworks
- For fear of data breaches, 95% of IT departments face obstacles to increased user mobility in their organization (survey)
- 90% of enterprise IT professionals are concerned that employee reuse of personal credentials for work purposes could compromise security (survey)
-
Big gaps emerge between countries towards data protection in the cloud
-
Wide gaps between perception and reality of security effectiveness
-
70% of consumers would stop doing business with a company if it experienced a data breach