The EU GDPR (General Data Protection Regulation) is very much alive and kicking. However, despite the number of leaked records in June amounting to 145,942,680, the nation seems to be waiting with bated breath to see what will happen next. What steps will the ICO (Information Commissioner’s Office) take to ensure organisations adhere to the Regulation? What will the impact be on organisations that have already fallen short? Time will tell – and we may not have to wait long – but in the meantime, what can be done to protect your business and your customers, and reduce your chances of becoming a statistic?
As things hot up – literally (with all this sunshine!) and metaphorically – we believe the best approach is to apply your SPF (security protection factor) and get yourself and your team #BreachReady!
Since its coming into force in May, the EU-wide GDPR has led to an increase in data breach reporting, as the requirement is for organisations to notify the ICO of certain types of personal data breach within 72 hours of becoming aware of it.
However, in addition to the visibility and ‘newsworthiness’ of such breaches – especially in consumer-facing organisations such as Dixons Carphone and Fortnum & Mason – it is also acknowledged that the convenient world of interconnectedness we enjoy provides cyber criminals with more opportunities to mastermind sophisticated hacking and phishing attacks.
For this reason, knowing how to reduce the risk of a breach is only half the story. The second part is knowing what to do if you suffer a breach, especially with the 72-hour clock ticking.
What can you do to prepare?
- Understand the GDPR’s requirements, as well as how your company collects, stores and uses data. Knowing the data flow through your organisation will help you to understand the potential weak spots, and that is where you can focus your efforts.
- Ensure that your privacy notice clearly explains to your customers, suppliers and partners how and why you store their data and for what purposes.
- With human error posing one of the biggest security risks, it’s all too easy to accidentally click a link in a well-constructed phishing email. It is vital to ensure that your teams are trained appropriately, with annual refreshers to maintain awareness.
As well as helping to reduce risk, undertaking these steps will help you understand your state of readiness to respond to an incident. It is important to shift your thinking – data protection and cyber security are no longer ‘just’ IT issues. They are business issues that can derail an organisation, through both reputational damage and fines.
What can you do if you suffer a data breach?
If, or when, you suffer a personal data breach, and if that breach could pose a risk to people’s rights or freedoms, you must notify the ICO within 72 hours, and include:
- As much detail as possible about what happened, what went wrong and how it happened.
- An assessment of the data affected, including the categories of personal data and the number of records concerned.
- A description of the possible impact on data subjects.
- A report of staff training. Specifically, had the staff member involved in the breach received data protection training in the past two years?
- A description of the actions you have taken or propose to take.
- A report of any oversights by the DPO (data protection officer), or the senior person responsible for data protection in your organisation.
This level of reporting, within the timeframe, will be easier to create if, as an organisation, you are GDPR compliant.
However, if you aren’t yet able to claim GDPR compliance (and only 20% of organisations believe they are GDPR compliant), now is the time to start getting #BreachReady!
Visit our data breach reporting page to understand more about what you need to do. If you still have any questions, contact our team for friendly, expert advice.