A Guide to the 6 Data Breach Response Steps

Follow our advice to successfully manage risks and respond to a variety of information security incidents.

Any day during which you find out that you’ve been breached will be bad. But do you know what would be worse? Realising three days later that you’ve missed the deadline for reporting the incident to your supervisory authority.

Under the GDPR (General Data Protection Regulation), organisations have 72 hours from the moment they become aware of a breach to report the incident.

Organisations can do this either by email or telephone, but it’s not as simple as saying “we’ve been breached”. You must provide a long list of details about the incident, including the extent of the damage and the steps you’ve taken to recover.

You also need to work out whether you’re even required to report the incident. Supervisory authorities only need to be notified if there is a risk to the rights and freedoms of those affected.

Failure to disclose is punishable under the Regulation’s second tier of penalties, with fines up to €10 million (about £8.7 million) or 2% of the organisation’s annual global turnover, whichever is greater.

Disclosing a breach promptly can save organisations a significant amount of money and enable those affected to secure compromised accounts.

A strong breach recovery process can also protect, or even enhance, an organisation’s reputation and reduce the likelihood of customers turning to competitors.

You can manage those tasks effectively by following IT Governance’s six-step guide for reporting breaches to your supervisory authority – which, in the UK, is the ICO (Information Commissioner’s Office).

1. Situational analysis

You must explain:

  • The initial damage;
  • How the breach has affected your organisation;
  • What caused the breach;
  • How you found out about it; and
  • When you found out about it.

2. Assess the affected data

You must provide details of:

  • The types of personal data compromised;
  • The number of personal data records affected;
  • The number of data subjects potentially affected; and
  • The categories of data subject affected.

3. Describe the impact

You must detail:

  • The damage that the breach has caused, particularly regarding material harm to data subjects; and
  • The damage that might occur in the future;

In the event of cyber incidents, you must also state:

  • Whether the confidentiality, integrity and/or availability of your information systems been affected (and if so, how); and
  • The estimated recovery time.

4. Report on staff training and awareness

If the breach was a result of human error, you must:

  • State whether the employee(s) in question received data protection training in the past two years; and
  • Provide details of your staff awareness training programme.

5. Preventive measures and action

You must:

  • Describe the actions you have taken, or plan to take, in response to the breach;
  • State whether you need to inform data subjects of the breach, and if you do, whether you’ve already done so; and
  • State whether you’ve told, or intend to tell, any other organisations (such as clients or suppliers) about the breach.

6. Oversight

You must provide:

  • The name of your organisation;
  • Your registered address;
  • The name of the person making your report; and
  • The name of your DPO (data protection officer) or person responsible for data protection.

DPOs: the key to data breach response

With the amount of work that goes into data breach notification, it’s tempting to see it as a big project that you’ll get around to once you’ve cauterised the damage and ensured that business operations are functional.

That sounds fair enough, but you really should be capable of dealing with both issues at once. It’s certainly a lot easier if you have a DPO, which is why most experts agree that organisations should appoint one even if they’re not required to under the GDPR.

DPOs have a range of responsibilities, such as educating employees on important compliance requirements, training staff who are involved in data processing, and conducting audits.

In the context of data breach disclosure, they act as a point of contact between management and staff, as well as between an organisation and its supervisory authority. That means managers can focus on how the breach affects their department, while DPOs oversee the response process.

Finding a DPO

Many organisations struggle to find a suitable DPO, because the demand for qualified personnel far outweighs the supply.

Those that try to appoint a DPO internally have also had little luck, because even qualified cyber security professionals often lack the necessary expertise or have a conflict of interest with their current role (which, under the GDPR, disqualifies them).

Any organisation facing such problems should outsource the role. This is particularly helpful for smaller organisations with data processing activities that aren’t substantial enough to require a full-time DPO.

If you’re interested in outsourcing your DPO responsibilities, you should consider our DPO as a service solution.

One of our data protection experts will act as a remote DPO, working with you to understand your organisation and its compliance requirements. They’ll complete the necessary tasks and provide you with guidance whenever you need it.

The service is also ideal for organisations that aren’t legally required to appoint a DPO but still want someone to provide expert advice.

But no matter what their title or your compliance requirements, our experts will ensure you get the necessary support.

In those circumstances, the appointee won’t be formally known as a DPO, because they may not take on the full gamut of responsibilities associated with the role, but will instead occupy a position such as GDPR Manager or Privacy Officer.

One Response

  1. Wings2i 13th February 2019