Since the enforcement of the GDPR approximately two years ago, over 160,000 breaches have been reported from across the EU. In the Netherlands alone, almost 27,000 data breaches were reported in 2019 - a 29% increase compared to the year before. Personal data breaches happen both due to external threats and internal security incidents, and both are on the rise. Given these figures and the large amount of personal data collected by organisations, even if the necessary safeguards are in place, the odds of a data breach happening within your organisation is quite high. So, what if a personal data breach does happen, how can you make sure that your organisation recovers from it quickly and well?
Learn from it
After the data breach has been contained and recorded, and the controller has notified the supervisory authority about the breach within the 72 hours after discovery set out by the GDPR, look back at how exactly the data breach happened. Was the data breach a result of an external threat or internal security incident? Who were the key stakeholders involved, and what actions did they take in this process? Were there mistakes made, and if so, how can you make sure they don’t happen again? Have all your procedures and safeguards been in place? If so, how have they been exploited still? And above all, what can you learn from the breach to reduce the risk of it happening again.
Assess the extent of the breach thoroughly
To thoroughly assess a personal data breach, it’s crucial to know the extent of its impact. First, take a thorough look into whose personal data was affected by the data breach - Customers? Employees? Partners? It could also be that more than one database has been affected, for instance, both with information on existing customers and also on employees. Take the time to look through the data compromised and identify just how much and what kind of data is involved in the breach.
In case special category data or otherwise sensitive data is involved, more far-reaching actions and perhaps even different mitigation measures could apply. Other questions to answer during your investigation is whether the data affected was encrypted, and whether it was backed-up somewhere. These are all aspects that are essential to know in case of a data breach, because they will guide you in how to mitigate the situation and how to communicate about the breach.
Make or update your response recovery plan
Upon assessing the incident, it’s time to make decisions on how to make sure it doesn’t happen again. Making a response recovery plan requires time investment and the collaboration between internal disciplines. The plan might include action items such as further staff training and spreading awareness on the importance of data protection company-wide, in order to make sure that all employees are up to date and on board with data protection and security initiatives. Even though it might seem trivial at first, something as small as reminding employees to log out of their systems after finishing work, or to regularly change passwords could prove decisive in the long run for reducing the risk of a personal data breach.
Further concrete actions to improve overall security could be encrypting work devices or introducing multi-factor authentication when logging into work applications. It’s also essential that procedures and safeguards are continuously updated, and the key stakeholders are informed about these updates regularly. Last but certainly not least, the response recovery plan should include a complete communications plan for various scenarios, that addresses both the parties affected by the breach, and the internal parties that handle the data.
Turn things around as much as you can
In your communications externally and internally, of course you’ll need to explain the scope and effects of the breach carefully. A great approach is to not only point out the negative effects of the breach, but also the positive and constructive steps you are planning to make as a result of it. These constructive steps could include for instance:
Investing in technology organisation-wide
A great way to turn things around is to show your commitment by investing in technology. For example, a system that helps detect a potential data breach ahead of time automatically can bring significant benefits, and will contribute to mitigating incidents quickly and ahead of time. Investment in such a tool can help organisations reduce the cost of a data breach by 50% according to studies.
Performing regular audits and communicating about them
Schedule regular audits to assess current security systems and adjust your recovery plan and procedures accordingly. This will help in making sure that you are aware of all personal data processed by your organisation, and can help identify potential risks and put mitigation measures in place ahead of time. After each audit, communicate to key stakeholders about the outcome of the audit, and offer alternatives/solutions to potential problems.
Creating a privacy culture with data protection champions
A common misconception regarding data protection is that it’s solely the task of specific individuals, such as the Data Protection Officers or Information Security Officers. However, data protection is a team-effort. You could set up a structure for a data privacy culture within your organisation, where employees are appointed to privacy champion roles, and are responsible for ensuring that their team or department is aware of all processes and procedures in place for data protection. This can help in reducing the risk of an internal data breach, and to be able to catch potential issues before they turn into security incidents.
Communicate transparently and openly
Once the breach has been handled, communicating appropriately about the issue could majorly contribute to bettering a damaged reputation, both externally and internally.
Communicating to the affected parties
According to the GDPR, if the breach is deemed to likely result in a high risk of affecting individuals’ rights and freedoms, your organisation should inform the affected individuals without any delay. Communicate transparently to those affected, explain the situation, share what the breach means for the affected individuals’ data, and what steps you have or will be taking to mitigate the incident. Offer the opportunity for an open conversation between the affected parties and your organisations, and be transparent about your action items. This can help to lessen the damage on customer/employee trust.
Communicating within your organisation
Communicate on a need-to-know basis, but do it openly within your organisation. You can remain in control of what information is shared among employees by communication proactively about the breach, and including details of what information should remain confidential. Make sure that customer-facing employees also know their role in the communications plan and are aligned on what messaging your organisation will be using in regard to the breach.
In order to get a full picture of the incident, you can also open dialogue with departments and ask if there are any further action items from their side that could help reduce the risk of a breach in the future.
Recover together from a data breach
Even if all safeguards are in place, data breaches can happen. While it’s crucial to be able to handle a data breach within the 72 hours set by the GDPR, it’s just as important to spend the weeks and months after the breach with evaluation and recovering the reputation of your organisation quickly. The investigation, communications, and the creation of a recovery plan though should not fall only on the DPO. Involve departments that can help you make the best out of the situation and work on recovery as a united organisation.