The biggest overhaul of data protection regulation in twenty years comes into effect on 25 May and alters the way businesses must respond in the event of a data breach.
Unless you've been living under a rock, you'll have heard about the GDPR. But our 2018 Global GRC Survey revealed that only 1.61% of quality professionals feel fully prepared to meet the new regulation.
A key area of concern is the data breach process - how to respond to a breach in a GDPR-compliant manner, what to do, and when to do it.
Ensuring your business is prepared for the worst is a vital step to take before 25 May.
Into the breach
The GDPR is, of course, all about data - so companies who suffer a data breach are a key focus of the new regulation.
It's not surprising that such importance has been placed on data breaches by the GDPR when we look at the infographics below.
Here is a diagram illustrating the reported data breaches in 2007:
And here's the picture in 2017:
There's a good chance your data is somewhere in here
Data breaches are getting increasingly frequent as databases grow and hacking techniques grow in number and sophistication. The GDPR will mandate that businesses take the necessary steps to protect themselves from a breach and to respond properly in the event of a breach.
What is a breach?
Personal data breaches can include:
- access by an unauthorised third party
- deliberate or accidental action (or inaction) by a controller or processor
- sending personal data to an incorrect recipient
- computing devices containing personal data being lost or stolen
- alteration of personal data without permission
- loss of availability of personal data
Hacking isn't the only cause of a data breach. Human error and flawed data security also contribute.
What to do
If the worst happens and your business suffers a data breach after 25 May, you must:
1) Contact the Information Commissioner's Office (ICO) through their website, with a Security Breach Notification Form or via the Security Breach helpline on 0303 123 1113
2) Inform them within 72 hours of the breach being discovered
3) Provide full details of the breach, including the scope and type of compromised data
How not to do it
Failure to notify the ICO within 72 hours can result in the GDPR's significant financial clout being brought to bear. That means fines of up to €20m (£17.7m) or 4% of global annual turnover. It simply isn't worth the risk of not informing.
After being informed of a breach, the ICO will either:
- Record the breach and take no further action
- Investigate, then take no further action
- Investigate, then take formal enforcement action
- Investigate, then serve a monetary penalty notice
Naturally, the ICO's response depends upon the severity, scope and nature of the breach, whether the breach has already been rectified, how quickly the ICO was notified, and whether steps have been taken to prevent future breaches.
The more mature and robust your data security process, the less likely severe responsive action becomes.
Do affected individuals need to be informed?
The ICO will not inform the public or affected individuals themselves, since that is the responsibility of the data controller.
The ICO may recommend that companies with a breach inform those affected where there is a significant risk to their privacy rights and freedoms. In severe cases, it may compel them to do so.
Where personal data has been compromised, it's usually best to inform those affected by default. Doing so builds trust and demonstrates a business's commitment to data security. The Data Protection Act currently in effect doesn't mandate breach notifications - but MyFitnessPal sent out this email to its customers anyway:
MyFitnessPal does it properly by informing its customers of a breach
Quickly owning up to a breach and working to correct it will be enforced by law in a little over forty days - so get into the habit now.
Getting a policy in place
Managing data breaches properly and in compliance with the GDPR requires input from everyone in the business. A security breach management policy provides guidance to all staff regarding the policy and process for managing data and information security breaches. Everyone in a company should be responsible for identifying and logging breach incidents.
Use a policy to highlight to your team:
- The scope and responsibilities of your company's security breach management
- Aims and objectives (i.e. minimising breach likelihood, notifying within 72 hours)
- How security incidents will be handled
- How incidents will be reviewed and monitored
What to do next
Preventing a breach is better than responding to one. And responding to one is better than sweeping it under the carpet.
To prepare your data security processes for the GDPR:
1) Conduct a privacy impact assessment to identify where and how personal data is stored, managed and processed in your business
2) Use the results to identify risk areas and implement effective controls to minimise the likelihood of a breach
3) Create a security breach management policy and communicate to everyone for an integrated, coordinated response in the event of a breach
For a detailed breakdown of the GDPR's requirements, practical expert-led advice, and a range of time-saving resources and templates, join the Qualsys GDPR workshop on 11 April or 23 May.