The torrent of data breaches highlights the necessity for regulation. The torrent of GDPR data breach reporting highlights the necessity for regulation. Pre GDPR era, reporting a data breach was not common, but with the new regulation making it mandatory to notify data protection authorities within a strict timeframe the likelihood of notifications is sure to climb, making transparency a valid concept.
“The reason for the sudden influx of reporting of breaches is Article 33(1) which states “in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” and “Where the notification to the supervisory authority is not made within 72 hours, and it shall be accompanied by reasons for the delay”.
An increase in data breaches
In June of 2018, 1,792 data breaches reported to the ICO, an increase fourfold during April 2018! Fear of reprimand is one reason organizations felt they had to own up to every breach scenario that presented itself.
Organizations wished to protect themselves for fear that failure to abide by this rule may result in hefty penalties up to €20,000,000 or 4% of total international revenue. Also, to the potential harm with loss of business, embargos and damage to reputation that could occur.
GDPR – a baptism of fire
The first year of GDPR data breach reporting will be a baptism of fire for every organization, and the ICO is determined to make it known that they are there to assist rather than demonize. Laura Middleton, manager at the ICO, is actively educating organizations on data breach reporting with regular webinars and PowerPoint presentations. She states that every data compromise will have its risk definitions and not all breaches will need reporting.
Organizations should have in place a “go-to” risk assessment at the point of awareness of a potential breach. When to report should rely upon a list of contingencies depending on the likelihood and severity of the outcome of a violation. The GDPR gives us a good range of incidents and examples of data breaches from the sending of personal data to an incorrect recipient to loss of data. Human error is probably the highest factor in accidental loss or sharing of data, and the seriousness of these errors need to weigh against the more worrying breach of security of a cyber attack.
What is important is to know the processes and have your team fully aware of these, so that an individual is not, at any time, in danger of high risk to rights or freedoms.
Clear processes are essential
Having a proper process in place will help, not only with the reporting process but also with showing the ICO the extents and efforts made to ensure compliance.
Ensuring your team has access to a list of questions, advice, and guidance will provide an immeasurable tool for an organization. Here are some examples of what should be in your Breach Policy Guidance Notes:
- Describe the incident in as much detail including date, time, the location of the breach.
- The number of people affected – if over 500 data subjects, this is a large scale classification.
- Details of the nature and scope of compromised data. For example, sensitive data such as financial information, or other special categories of data such as biometric data.
- Evaluate the risk to the affected data subjects. Provide the worst-case scenario that could result in this breach to the individual or individuals taking into account the effect on reputation, financial or material.
- Cause of breach. Was it an external attacker exploiting weaknesses in security or a technical or human error?
- Can the breach and the consequences be rectified and how soon.
- Having strong policies and procedures in place documenting everything on breach notification assist in the event of a data breach. It should also go some way to prepare for incident reporting.
What should you do in the event of a breach?
In the event of a breach, there are specific processes to follow depending on your organization. Policies and procedures should document the particular actions required. Every organization should ensure full access for all staff to the following instructions:
- In the event of a breach gather the following information:
- A detailed description of the circumstances surrounding the compromise/breach.
- Include all relevant information. Such as category and types of data, the number of data subjects affected, and the number of actual data records.
- The likely outcome and consequence of the breach
- Document a full description of the intended investigation with a complete breakdown of measures taken immediately. And also for future prevention of similar compromises.
- Within 72 hours, report the breach to the relevant Data subjects and Data Protection Authorities if you are required to do so. Ensure you have documented the contact details of your local Data Protection Authority.
- Nominate a senior member of the team to act as investigator and reporter.
Above all, remain transparent. Act in good faith and do not try to hide anything. Showing a willingness to be compliant will go in your favour. But only if you show that your primary concern is to protect the personal data you manage.
