Data breach. Two words you just don’t want to hear after a long week. It’s finally the Friday afternoon you’d been waiting for. Weekend plans with the family, the clock has just hit 16:00, and the weather isn’t as bad as predicted. Yet, here you are, after conducting a DPIA, finding yourself in a situation where you have a mere 72 hours to handle a whole breach. In this blog post, we will discuss your options, and provide you with support to handle this procedure seamlessly.
• The nature of the breach
A data breach can come in very different forms. Take for instance a recent case where an art piece in a small town in the UK, received nationwide attention. The town centre art sculpture that was made of recycled paper had contained sensitive medical data belonging to hundreds of NHS patients. Despite having the intention of the art piece as a form of creativity, it had actually caused a data breach.
A data breach does more than just hurt a company’s wallet in terms of fines. It also hurts the company’s identity, and puts a dent on the trust between them and their consumers or clients. Mitigating such an event is therefore a top necessity for any organisation. Easier said than done.
Below you will find a variety of tips to overcome the challenges of encountering a data breach.
Distinguish the types of data breaches If you arrive to the conclusion that you will be reporting a data breach, Articles 33 and 34 of the GDPR can help distinguish the exact type of data breach you might be dealing with. Let’s take a look at three scenarios that can help anticipate the actions you should take next.
• Scenario 1: The breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33(1), GDPR). In this scenario, no notification is needed to be sent to your Supervisory Authority. However, the breach should be registered within your organisation for accountability purposes. For instance, the loss of a securely-encrypted mobile device may (in some circumstances) not require a notification.
• Scenario 2: The breach is likely to result in a risk to the rights and freedoms of natural persons (Article 33(1) GDPR). A notification should be sent to your Supervisory Authority. However, the breach does not need to be communicated to the data subjects involved.
For instance, names of a large number of students are registered for attendance reasons and mistakenly sent to the wrong recipient.
• Scenario 3: The breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34(1) GDPR). If this is the result of your assessment, you should take into account that you should absolutely notify your Supervisory Authority without delay. If you are a processor, you should also inform your controller (Article 33(2) GDPR), in the manner agreed upon. Let’s say medical records in a hospital are unavailable for a period of 30 hours due to a cyber-attack, putting the health of data subjects at risk.
In addition to the notification being made to the Supervisory Authority, the data subject affected must also be notified (Article 34 (1) GDPR). For instance, in the case that due to a cyber-attack, medical records in a hospital are unavailable for a certain amount of hours, a threat is posed to patients who are being treated there. Therefore this should then be reported by the hospital to the Supervisory Authority, but also to the patients affected.
Investigate the Incident
After you’ve determined which data breach scenario applies to your situation, you can then begin a further look into the incident at hand. After doing so, an internal breach notification should be addressed to everyone within the organisation. As a part of this, it’s important that the data controller takes the following steps, and includes the below aspects in the notification:
• Determine an identifier (for identification purposes internally and possibly even externally)
• Create a description of the issue and the consequences of it (if possible to do so)
• Determine the start and end date, including the moment your organisation is aware of a data breach. As a controller, your organisation should be aware of any breach known by a processor or subprocessor of your organisation.
If, after everything, you do decide to report to the authorities, make sure to use the right language
One of the essential steps in understanding the requirements for reporting a personal data breach is knowing the language of the reporting form to begin with. Potential language barriers may lead to difficulties or even delays in reporting the data breach. Being prepared ahead of time will save you from this scenario. Most DPAs have an English version of reporting forms available, and a majority of DPAs (68%) allow to report data breaches in the local language of the market where the organisation with the breach is present.
Report on time
Swift acting and time-efficient reporting is a much needed factor when it comes to reporting a data breach. Therefore, a digital reporting form is often more in favor - make sure you are aware which DPAs have created a digital reporting form available on their website. This “digital reporting form” can be filled out and submitted through the website of the DPA, making the process a time-efficient alternative to an offline process, where a form needs to be downloaded and submitted to the authority via email or post. Keep in mind though that not all DPAs use digital reporting forms, only 46% of them have this option.
Include in the report
According to Article 33 of the GDPR, notifications to the leading Supervisory Authority should contain:
• The categories and approximate number of data subjects involved
• The categories of personal data and the number of personal data records concerned
• The contact details of the Data Protection Officer, and other relevant contact people should also be included
• A description of the likely consequences of the breach for the data subject(s) should be provided
• The different measures that have been taken to address the consequences, including mitigating measures
If the notification is not made within the 72 hour period after being aware of the breach, reasons for the delay should also be addressed in the report.
Preventive measures to take for the future
Put a band together
If the data breach is dubbed very serious, it can then be worked on with not only gallons of coffee, but also with the help of a data breach response team. Luckily, when it comes to data protection, there’s just no I in team. Such a team should consist of:
• Top-level privacy specialists
• A top-level security officer
• Head of the customer contact center
• A top-level communication specialist
The team should have the authority to make decisions when a data breach occurs. The Managing Director of the unit should also be included within the team. Additionally, there should be clear replacement procedures if any of the members are not available.
Perform a DPIA
Taking the appropriate measures to assess how data is being used, such as conducting a DPIA, will give you a better overview about how data is being handled, and thus giving you the advantage to anticipate potential problems such as a data breach.
Automation is an alternative that helps you organize all this data and have a clear view over everything that goes on with the company and the data. Human error is responsible for a significant number of data breaches, and automation is a way to reduce that number. Implementing automated safeguards such as a system that regularly gives you a heads up on potential problems in every processing will definitely give you more of an advantage.
Create a culture
Creating a data privacy oriented culture may take time. However, proper training to your coworkers will not only give them a better understanding on the measures to decrease future problems, but will also help you see what needs to be improved in terms of data handling. With a data privacy oriented culture, the company will be more security minded and prioritize privacy and security first.
According to the Dutch Data Protection Authority, 11,906 reports of data breaches were submitted in the first half of 2019 alone. This concerns approximately 2,000 reports per month. If this trend continues, the AP expects an increase of 14% for the whole of 2019 compared to 2018. And so, by taking the mentioned preventive measures, you can lessen the chances of being one within that unfortunately growing number. You will be lowering risks of a data breach to your organisation and will be able to take necessary steps quickly and efficiently. You will also have an increase on the overall stance your business has within the data protection culture. So make sure your cup is filled with the finest of coffees and start the prep!