So, a colleague has just come to your desk and told you that your organisation’s systems have been breached. Now what?
This is a situation that more and more organisations are having to deal with. According to our figures, there were at least 488 reported data breaches in 2017, and we’re on pace for an even bigger year in 2018. Organisations need to understand that the threat is real and that they should prepare for the inevitable.
The first 72 hours after you identify a data breach are crucial. This is the window given to you under the EU GDPR (General Data Protection Regulation) to report information security incidents.
It’s worth noting that a data breach only needs to be reported if it’s likely to pose a risk to the rights and freedoms of natural living persons. Of course, you won’t know that one way or the other until you’ve investigated the incident, so the first thing you need to do is determine whether personal data is involved, and if so, could the exposed information be used nefariously.
If the answer is yes, then you need to prepare a breach notification for the ICO (Information Commissioner’s Office). This should include:
- The context of the breach, i.e. the categories of information involved, the number of records breached, how the breach occurred and what effect it has had on the organisation’s ability to operate.
- A point of contact. This will be your DPO (data protection officer) if you have one, or whoever handles information security.
- The possible outcomes of the breach, i.e. what might happen next.
- The measures you’re taking to deal with the incident, such as contacting affected individuals, setting up a helpline or isolating the vulnerable part of your organisation.
Providing this much information so promptly is a big ask, and the GDPR acknowledges that. You’re not expected to provide comprehensive details, but it’s important to get the process going as quickly as possible. Your investigation will almost certainly continue beyond those 72 hours, and you can provide further information to the ICO when it becomes available.
You can find out more about responding to a data breach and gathering the necessary notification information on our #BreachReady page.
We break the response process down into six easily navigable steps and provide advice on the tools and services you can use to complete each task.