Follow our advice to successfully manage risks and respond to a variety of information security incidents.
Any day during which you find out that you’ve been breached will be bad. But do you know what would be worse? Realising three days later that you’ve missed the deadline for reporting the incident to your supervisory authority.
Under the GDPR (General Data Protection Regulation), organisations have 72 hours from the moment they become aware of a breach to report the incident. They can do this either by email or telephone, but it’s not as simple as saying “we’ve been breached”. You must provide a long list of details about the incident, including the extent of the damage and the steps you’ve taken to recover.
You also need to work out whether you’re even required to report the incident. Supervisory authorities only need to be notified if there is a risk to the rights and freedoms of those affected.
Failure to disclose is punishable under the Regulation’s second tier of penalties, with fines up to €10 million (about £8.7 million) or 2% of the organisation’s annual global turnover, whichever is greater.
The requirement isn’t, as some of complained, petty bureaucracy. Disclosing a breach promptly can save organisations a significant amount of money and enable those affected to secure compromised accounts. A strong breach recovery process can also protect, or even enhance, an organisation’s reputation and reduce the likelihood of customers turning to competitors.
So, when you’re in the middle of that bad day when you learn about a data breach, don’t spend too long being upset, because there’s a lot of work to do.
You can manage those tasks effectively by following IT Governance’s six-step guide for reporting breaches to your supervisory authority – which, in the UK, is the ICO (Information Commissioner’s Office).
You must explain:
- The initial damage;
- How the breach has affected your organisation;
- What caused the breach;
- How you found out about it; and
- When you found out about it.
Assess the affected data
You must provide details of:
- The types of personal data compromised;
- The number of personal data records affected;
- The number of data subjects potentially affected; and
- The categories of data subject affected.
Describe the impact
You must detail:
- The damage that the breach has caused, particularly regarding material harm to data subjects; and
- The damage that might occur in the future;
In the event of cyber incidents, you must also state:
- Whether the confidentiality, integrity and/or availability of your information systems been affected (and if so, how); and
- The estimated recovery time.
Report on staff training and awareness
If the breach was a result of human error, you must:
- State whether the employee(s) in question received data protection training in the past two years; and
- Provide details of your staff awareness training programme.
Preventive measures and action
- Describe the actions you have taken, or plan to take, in response to the breach;
- State whether you need to inform data subjects of the breach, and if you do, whether you’ve already done so; and
- State whether you’ve told, or intend to tell, any other organisations (such as clients or suppliers) about the breach.
You must provide:
- The name of your organisation;
- Your registered address;
- The name of the person making your report; and
- The name of your DPO (data protection officer) or person responsible for data protection.
DPOs: the key to data breach response
With the amount of work that goes into data breach notification, it’s tempting to see it as a big project that you’ll get around to once you’ve cauterised the damage and ensured that business operations are functional.
That sounds fair enough, but you really should be capable of dealing with both issues at once. It’s certainly a lot easier if you have a DPO, which is why most experts agree that organisations should appoint one even if they’re not required to under the GDPR.
DPOs have a range of responsibilities, such as educating employees on important compliance requirements, training staff who are involved in data processing, and conducting audits.
In the context of data breach disclosure, they act as a point of contact between management and staff, as well as between an organisation and its supervisory authority. That means managers can focus their attention on how the breach affects their department, while DPOs oversee the response process.
Finding a DPO
Many organisations struggle to find a suitable DPO, because the demand for qualified personnel far outweighs the supply.
Those that try to appoint a DPO internally have also had little luck, because even qualified cyber security professionals often lack the necessary expertise or have a conflict of interest with their existing role (which, under the GDPR, disqualifies them).
Any organisation facing such problems should outsource the role. This is particularly helpful for smaller organisations with data processing activities that aren’t substantial enough to require a full-time DPO.
Want more breach survival advice?
Find out more about how you can prepare for data breaches by reading The Data Breach Survival Guide.
It goes into more depth about each of the six steps outlined here, and explains how you can reduce the impact of a breach and gather the necessary disclosure information as quickly as possible.
How else can IT Governance help?
IT Governance is your one-stop shop for information security and regulatory compliance. Our range of books, toolkits, training courses, staff awareness solutions and consultancy services can help you with whatever you’re looking for, and our blog helps you stay informed of the latest industry news and advice.