As information technology has become more sophisticated, so too has cybercrime evolved. By its nature, this race for one-upmanship means that cybercrime and data breaches are inevitable. Today, we’d like to discuss damage control and data breach mitigation.

A data breach, put simply, is any event that compromises the integrity, availability, or confidentiality of an individual’s personal data, whether intentional and targeted or accidental. The risk of these events varies depending on the company that has collected the data and the nature of the event itself. The GDPR has established regulations for this kind of event and details the specific tasks and responsibilities of both data controllers and data processors. The following are a few strategies that may help your crisis preparedness and danger mitigation.

Prevention and preparation

Naturally, the best first step is being ready. Constant examination of your existing data protection procedures can provide a look at existing weaknesses. It is also a great way to familiarize the team with agreed-upon protocols and procedures in case of a breach. Your technical and organizational measures (TOMs) entirely depend on the nature of your organization and the kind of data you collect. You can learn more about these in Article 32 of the GDPR.

Another vital prevention element is designing a structured response with which the team is familiar.

A Bulletproof Incident Response Plan

The Incident Response Plan (IRP) covers a set of coordinated measures aimed at successful handling of data breaches in a timely manner. Though there is no absolute lineup that fits all sizes, a good plan establishes a structured team with detailed roles that are easy to contact. It also details plans for escalation within the organization and a straightforward, repeatable process in response to a breach. Finally, and crucially, it describes how to document any given event.

That final element is one of the most important. Proper documentation of events can look into how things are evolving and shed light on shortcomings before they become weaknesses. Part of a solid IRP is that it allows for reproduction, which should not be reserved in the event of a crisis, and sets the baseline for drills to follow. 

You can learn more about Incident Response Plans in the Computer Security Incident Handling Guide proposed by the NIST.

Communications

Informing data protection authorities and data subjects about a data breach is one more crucial part of a good IRP. The procedure entirely depends on the risk that each breach represents. In high-risk situations, users should be notified without undue delay.. The GDPR, in Articles 33 and 34, indicates the proper proceedings and notification details to data protection authorities and the data subjects whose data has been breached.

Within the internal incident response teams, communication should be clear, quick, and efficient. Time is of the essence, and though a dedicated team responds to the crisis, the rest of your company should be aware of what they can and cannot do during these events. A proper flow of communication can make the difference between a significant blow to the company’s reputation and a crisis managed.

Keeping your users’ information safe is paramount, and you don’t have to find the best practices independently. Read more about the security of processing and risks in this article by Albin Thelin and a more detailed pathway for dealing with a data breach here.