How will your business manage a data breach?
Every organisation will suffer a data breach sooner or later, yet most organisations are unprepared for data breaches.
Here we set out what you can do and how you can prepare for this eventuality to reduce your risk and exposure.
Data breaches can be caused by both outside attacks such as cybercriminals, viruses and hackers as well as due to internal errors. The different kinds of events, attacks and occurrences that can result in data breaches are numerous. According to a recent webinar run by IT Governance UK, many organisations are unable to ascertain how often they have been subject to an attack or whether they have had a data breach. Why is this? Because most organisations do not have any systems in place to detect them - it is worth noting that a data breach is not always immediately obvious due to the sophisticated techniques of cyber hackers and IT security weaknesses, but that the majority of data breaches are due to human or process errors rather than sophisticated online criminals.
Data Breaches can be caused by:
What about data breaches and the GDPR?
Controller and Processor Obligations
In the event of a data breach, the GDPR sets out that both data controllers and processors alike have obligations which they must adhere to. The controllers are often in front line with their customers, and in some instances, the data controller is also acting as the sole the processor of their customers’ personal data. A data processor is a third party to whom the data controller outsources the processing of personal data. If no data processing is outsourced, then the controller is the only responsible party of its customers’ personal data.
Under the GDPR, all data processors need to have to have a data processing agreement in place with the data controllers. These data processing agreements must set out the roles of data controllers and and data processors as regards the reporting of a data breach affected personal data.
It is important that data controllers implement standardised reporting processes so that any party in its supply chain is able efficiently report a data breach or any related issues. According to the GDPR, a data breach must be reported within 72 hours the controller becoming aware of it.
When deciding whether to report data breaches relating to personal data to the supervisory authority (such as the ICO in the UK or the CNIL in France), the controller must consider whether the breach is likely to cause harm to or compromise the rights or freedom of data subjects (if this is unlikely, then the controller does not have to report the breach).
If the breach it is likely to create a risk to the data subjects’ fundamental privacy rights and freedoms, then the controller must report the breach to the supervisory authority. If the data breach it is likely to create a high risk to the data subject, the the controller must advise the data subject about the data breach, as well as informing the supervisory authority.
The GDPR leaves it up to the controller to determine the level of risk. However, what the controller consider as being as being a risk might be very different to the level of risk that a data subject would accept. Indeed, it is worth remembering that a breach can have really serious consequences for data subjects, but at the same time, the supervisory authorities across Europe are also concerned with organisations over-reporting in instances where they are not legally required to do so. It is therefore always wise to contact a specialist data protection lawyer to assist you with your reporting obligations in the event that your organisation suffers a data breach.
Requirements for reporting a personal data breach
The organisation which has been the victim of a personal data breach will be asked to fill in a standard questionnaire. The processes are slightly different across the different supervisory authorities in the individual member states, so it is always worth checking with your national supervisory authority for the accepted data breach reporting mechanism. For example, the ICO’s use of the questionnaire has the purpose or determine whether the controller has implemented a data breach response plan and is aware of the amount of personal data processed as well as the categories of data that have been affected.
What do organisations need to do?
Awareness and Accountability
In the event of a data breach, the organisation affected must be able to identify the number or records that might be affected as well as the nature of the data that is involved. This obligation is mainly about ensuring the organisation’s awareness of data breach risks and the impact a data breach is likely to have on the organisation’s business and its data subjects. Organisations may therefore also be asked to assess the time that it might take to restore critical functions after a data breach has occurred and whether they have a communication plan in place which will enable them to inform the parties affected by the breach. It is therefore really important to ensure that adequate reporting and auditing procedures are in place.
In relation to staff, supervisory authorities will want to know that all staff involved in the processing of personal data has received adequate data protection training - ideally, at least once every two years. The supervisory authorities will also want to make sure that all staff are familiar with the procedures that they need to follow when they discover or suspect a data breach.
Security measures and Audits
Organisations must be able to demonstrate that they have implemented appropriate measures to secure personal data and limit any damage that may occur. For example, this could be done by undertaking external audits and validation or by using standards such as PCI DSS or ISO 27001 and ISO 2702.
Whilst ISO certification is not realistic for smaller businesses, and is also not a GDPR-requirement, following the standards by way of best practice does help to demonstrate GDPR compliance and protect your personal data against data breaches.
Time frame for reporting the breach
Under GDPR, a data breach which must be reported needs to be submitted to the relevant supervisory authority within 72 hours of discovery. Fines can apply in the event of failure to report a data breach within the deadline. Sometimes when a complex breach is discovered, it is possible to report after this deadline, but an initial report must nonetheless be made within the 72 hours deadline to ask for an extension.
It is important that all organisations determine who is to be in charge of data protection issues. This could be done by nominating a Data Protection Officer (DPO). Whilst the appointment of a DPO is not a legal requirement for smaller businesses, it can nonetheless be useful to appoint a data protection administrator or engage the services of an external data protection practitioner who is able to generally field queries and monitor privacy issues.
Incident response management
It is good practice for all organisations to implement proper incident response management, and this applies to all areas of the business and not just to data breach and personal data issues. A good incident response management process will help any organisation to manage unexpected and disruptive events and reduce the impact of these events. Organisations should therefore consider implementing a specific data breach incident response management process which should provide guidelines on how to proceed in the event of a data breach, but that also helps an organisation to prepare for and anticipate any potential risks (i.e., by conducting regular assessments, cyber security threat analysis and considering the implication of people, processes and technology), as well as a response and follow-up plan allowing them to effectively investigate and learn from any data breach which occurs, including how to recover and restore any data and prevent such a breach from reoccurring.
If you need any further specific advice about how you can deal with a data breach or if you need assistance to implement any data breach management techniques, then please get in touch!
Marie Mortreux, Legal Consultant @ Gerrish Legal, December 2018