Data Breach – It’s Not If, But When!

This is the fifth in a series of blog posts looking at practical steps you can take to build a robust GDPR compliance program.

Figures from a UK government Security Breaches Survey suggest that it's not so much a case of if your organization will suffer a cyber-attack but when. The 2017 report found that “Just under half (46 percent) of all UK businesses identified at least one cyber security breach or attack in the last 12 months. This rises to two-thirds among medium firms (66 percent) and large firms (68 percent).”  The study also found that breaches are more likely than average in businesses that hold electronic personal data on customers (rising from 46 percent to 51 percent). 

"A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity and availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed."

ICO Guide to the General Data Protection Regulations

The fact that your organization has, more or less, a fifty-fifty chance of experiencing a breach in any 12-month period brings into sharp focus GDPR requirements to report certain types of personal data breaches to supervisory authorities within 72 hours. As a first step, you should be reviewing and improving your organization's systems and processes for incident management. 

Of course, not all incidents are breaches and not all breaches are notifiable. The UK Information Commissioner's Office provides some useful guidance here. The requirement to report a breach to your Supervisory Authority applies to personal data breaches, which are likely to result in a risk to the rights and freedoms of natural persons. Furthermore, if the breach is likely to result in a high risk to the rights and freedoms of individuals then the individuals concerned must also be informed without undue delay. Your DPIAs will be an important tool to help you determine the likelihood and severity of breaches associated with your data processing activities – read last week's blog about the role of DPIAs in a risk-based approach to GDPR.

In practice, this means that an organization needs in place an effective mechanism to:

1. Capture all security incidents; 
2. Quickly evaluate if they constitute a personal data breach;
3. Determine if the breach is notifiable to the relevant supervisory authority;
4. Determine if the individuals concerned need to be informed; and
5. Take action!

Hand, Eye and Stakeholder Coordination

A theme running through most of this blog series has been the need for coordination and collaboration across all relevant stakeholders within your organization to ensure an adequate response to GDPR. This is certainly the case with breach management and notifications.  In terms of capturing incidents, organizations often have multiple incident reporting channels for compliance, HR and security issues – all of these could be the first point of entry for learning about a potentially notifiable breach. Consider how to monitor all of these channels or, better still, how to harmonize your organization's incident reporting tools and processes.

In addition, many security breaches occur as a result of malicious, external attacks that are first detected, and responded to, by the technical controls implemented by IT security departments. It is vital that IT Security, Legal, Compliance and Privacy departments have clear and agreed procedures for monitoring and evaluating these attacks for potential notifiable breaches.

The right tools for the job

A 72-hour window for taking action on notifiable breaches will be challenging for many organizations given the sheer number of attacks on businesses and level of coordination required to detect and respond to them. This is one area of GDPR where technology can be a key enabler of compliance. Consider implementing an incident management system that can:

• Log incidents from multiple sources;
• Support rules-based evaluation and categorization of incidents;
• Drive appropriate workflows to manage incidents within defined timescales; and
• Document decisions along the workflow and store supporting evidence.

Changing workplace behaviors

No matter what technical controls you put in place, the success of your breach management system will rely in large part on the knowledge and behaviors of employees.  No doubt most organizations are rolling out GDPR awareness training – but with what outcomes in mind?

• Will your training help employees recognize a personal data breach?  
• Will they understand the urgency around breach management? 
• Will it help them know what to do about possible incidents?
• Will they be able and willing to take action promptly?  

The content and design of your GDPR training campaign is key to ensuring the right outcomes for managing data privacy risk.  (For more information, read our blog about GDPR training or listen to our recent webinar.)

Practice makes perfect

Do you really want to wait for that notifiable breach to happen before you find out if your breach management system is going to work?  Learning from best practices in the world of health and safety, information security teams are now increasingly running 'fire drills' to make sure that systems, processes and people are in place to respond effectively to security incidents.  Likewise, running GDPR breach fire drills will help you to test your system, identify any gaps, and close them before the real thing occurs. Because it's not a matter of if. It's a matter of when.

Other blogs in this series include:

• GDPR: 6 Reasons to be Cheerful
• The Truth is Out There – Mapping the Personal Data Universe
• A human Firewall is Your Best Defence
• A Risk Based Approach to GDPR
• What! Privacy policy has 4 Ss in it?

You can download our GDPR template project plan here.