If you suffer a data breach, compliance with the EU GDPR (General Data Protection Regulation) will help lessen the impact. But what happens if you’re not GDPR compliant? Below we compare the different stages of a breach for #BreachReady and non-#BreachReady organisations.
You suffer a breach
A staff member accidentally sends an email using Cc instead of Bcc, a criminal hacker gets into your system and steals data, or a disgruntled ex-employee deletes customer information on their last day. Under the GDPR, breaches such as these may need to be reported to the ICO (Information Commissioner’s Office).
#BreachReady organisation: Reports the breach to the ICO within 72 hours of becoming aware, as required by the GDPR. The organisation’s breach process allows it to quickly identify that the breached data poses a risk to the rights and freedoms of individuals. It sends a brief report to begin with and continues to update the ICO in the coming days.
Non-#BreachReady organisation: Finds out it has suffered a breach and keeps the information confidential, hoping no one will find out. It does not investigate who was affected or consider what impact the breach may have on its data subjects.
Data subjects affected
When data falls into the wrong hands, victims can suffer financial and personal problems, such as loss of access to services and identity theft.
#BreachReady organisation: Once it realises that there is a high risk to the affected data subjects, the organisation reaches out to inform them of the breach. It advises data subjects to change their passwords and to be vigilant, keeping an eye out for potential signs of identity theft. The organisation promises to help affected customers, reassuring them that it has their best interests at heart.
Non-#BreachReady organisation: A data subject’s identity is stolen and used to apply for a loan. The data subject is alerted, works out that their data must have been leaked by the organisation, and lodges a complaint with the ICO.
The ICO investigates
The ICO will investigate a data breach and work with the organisation to find out what happened and whether it could have been prevented. Where necessary, the ICO can force the organisation to make changes, such as implementing security measures, or it can impose large penalties.
#BreachReady organisation: The organisation works with the ICO, being open and honest about its data protection practices and how the breach occurred. Having the proper controls, policies and procedures in place makes the investigation run more smoothly and demonstrates to the ICO that the organisation has worked hard to become GDPR compliant. The ICO identifies extra security measures that could have been taken to prevent the breach and requires the organisation to adopt them.
Non-#BreachReady organisation: The organisation does its best to ignore the ICO’s investigation, and it becomes apparent that data protection is not a priority. The rights and freedoms of its data subjects have not been protected and the organisation risks a fine of up to €20 million or 4% of global annual turnover, whichever is greater.
Don’t assume your breach will go unnoticed – work towards GDPR compliance to significantly reduce regulatory penalties should you suffer a data breach.