GDPR Data Breach: What You Need to Know
Let’s face it, in as much as technological advancement is seen as a positive thing by many, we can’t ignore the fact that it has also brought about a couple of challenges, one of them being data breaches, particularly from cybercriminals. We may not want them to happen but the truth is, data breaches are a reality, and this is something the EU governments did foresee, which is why it was largely covered under the new GDPR law. Basically, in the unfortunate event a data breach occurs in your organisation, the law requires you to report it to the Data Protection Authority within 72 hours from the moment you find out. In addition to this, there are enormous fines as well as reputation damage that is associated with the data breaches, which is why you need to be very careful. Luckily, we are going to tell you everything that you need to know about data breaches in the United Kingdom.
What is a data breach under GDPR?
Under the GDPR law, not all breaches need to be reported to the data protection commission. So, what is the kind of breaches are we talking about here? Well, here is what GDPR data breach entails:
- The incident must cause either accidental or unlawful destruction, alteration, loss, unauthorised access, or disclosure of the personal data. And when we talk of personal data, we are talking about any data relating to the identified individuals. Also, based on the law, the breach can be either accidental or deliberate, but that is not of much importance. What is important is whether the incident negatively impacted the integrity, confidentiality, or availability of personal data.
What to include when reporting GDPR breach
When it comes to reporting GDPR breaches to the data protection agency (DPA) you need to include the following information:
- Nature of the breach – you need to explain to the DPA how exactly the breach happened, and how many individuals were affected. You also need to state the categories of data that was affected, and if there were any records that got lost or exposed. Make sure that you don’t leave anything out when describing the breach.
- Contact persons – you must also give the contact details for the organisation’s point-of-contact entity. This is the entity you consider to be the point of contact for data protection. It could be a data protection officer (DPO), an EU representative, etc.
- What are the consequences of the breach – you also need to let the protection agency know the worst that could possibly happen as a result of the breach. Could the breach result in identity theft, or could it lead to financial damages? Whatever the damages might be, you need to state them clearly when reporting the GDPR breach.
- Any measures taken – lastly, but certainly not least, you need to tell the DPA what you have done regarding the breach incident. And if you haven’t done anything yet, are you planning to, and how are you going to do it? You need to let the agency know how you plan to solve the immediate problem – how are you going to decrypt or restore the lost data – and most importantly, how will you prevent and mitigate similar incidences in the future, in case they occur? Be sure to explain your plan in detail.
The process of handling data breaches
Now that you know what you need to include on your data breach notification, how about we take a look at how exactly you should handle the breach when it occurs.
Report to the Data Protection Officer – as we already mentioned above, immediately you learn of the GDPR breach, you have 72 hours to make sure that you report it to the DPO.
Assess the scope and impact – after reporting the incident, the other thing you need to do is to assess the extent of the impact, as well as the scope of the data breach. This is where you include all the details we mentioned above, including ascertaining that the data breach really occurred, estimating the number of people who have been affected by the breach, and also any security measures already put in place to prevent data breaches from occurring again in the future. As you can see, in this step, it’s all about providing sufficient information to the Data Protection Authority.
Be sure to notify all the relevant parties – your contact entity, or the DPO, will need to inform the Data Protection Authority whether or not your organisation is the controller of personal data. When there is a high risk to the freedoms and rights of the data subjects, the DPO also needs to inform them about the controller. And as we mentioned, in your notification, the contact details of your DPO, must be provided, alongside the details of the GDPR breach – which include the actions being taken to minimise its impact.
Analyse the situation carefully – as the DPO engages with the Data Protection Authority, it is critical that your team continues to take a closer look at the problem at hand – doing everything possible to contain any further breaches, as well as ensuring that estimate on the severity of the breach plus the number of the individuals affected has been refined and more accurate. As more details continue to be discovered, the Data Protection Authority must be updated accordingly. When the rights and freedoms of the data subjects have been significantly impacted, then the organisation’s communication teams, in collaboration with the DPO need to inform the subject of the same.
Review and monitor – after containing the personal data, then the organisation needs to carry out a review of all the measures that have been put in place, and also explore every possible to strengthen the said measures so as to prevent data breaches from ever occurring again. Don’t forget to monitor all these measures to make sure that they are living up to the task, and that they have been satisfactorily implemented. Be sure to document everything for future reference.
What else can you do to prevent data breaches?
There are a couple of other activities you can do to ensure that GDPR breaches will be kept out of your organisation. They include the following;
- Mandatory data protection induction as well as refresher training
- Provide as much support and supervision as possible to your team until they understand and are proficient in their role.
- You might also want to update your policies and procedures to facilitate the employees to report incidents of near data breaches misses.
- You may also want to consider a principle of “check twice, send once”, just to be sure.
- You also need to implement a culture of trust, giving the employees the freedom to report anything.
- Always ensure that any breach incidents or near misses have been thoroughly investigated and solved.
What if you fail to report GDPR breach?
Failure to notify the Data Protection Authority of any data breach incident can result in heavy GDPR penalty fines of up to 8.7 million pounds, or 2% of your global turnover. Remember, the data authority can also decide to fine you, in addition to the usual fines. So, it is very crucial that you ensure that you have a robust breach-reporting process put in place so as to ensure that data breaches are detected and reported on time.
Data breaches can have massive damage, both on your reputation as well as on your finances, which is why you need to put measures in place so as to prevent them from occurring. Don’t wait for them to occur! You need to set up a data protection process and also come up with a reliable GDPR compliance procedures, not only to avoid the heavy GDPR breach fines but also to protect your clients’ personal data as well as your reputation integrity.