Breach management is an integral part of your GDPR readiness. It’s a topic that concerns and affects many privacy professionals and businesses.
We’ve put together a digestable list of common questions about breaches. If you are interested in learning more about breaches and how to manage them, watch our webinar or read a written guide here.
Questions about Breaches and Incident Management
1. How common are data breaches?
2. Why do breaches happen?
3. What are the consequences of a breach?
4. When do I need to report a breach to authorities?
5. When do I have to inform affected individuals about a data breach?
6. How do I inform individuals about a data breach?
7. Who should be in a response team following a breach?
8. When does the 72 hours’ reporting time limit begin?
9. How long should I retain the information of a data breach?
10. If a person lives outside the EU, but the data is lost in a European country. Is it reportable there?
1. How common are data breaches?
According to the new Breach Level Index, 945 data breaches led to 4,5 billion data records being compromised worldwide in the first half of 2018. Compared to the same period in 2017, the number of lost, stolen or compromised records increased by a staggering 133 percent. The total number of breaches decreased slightly during the same period, signaling an increase in the severity of each incident.
2. Why do breaches happen?
A data breach might be the result from a hacking or phishing attack. It could also come from inside of an organisation, perhaps because a co-worker emails personal data to the wrong person or loses their phone.
3. What are the consequences of a breach?
Affected companies might lose business-critical data, face heavy fines and risk the trust from customers. For individuals, it means private information such as credit card numbers and medical records can get into the wrong hands.
4. When do I need to report a breach to authorities?
Businesses have to report a breach without undue delay and no later than 72 hours after having become aware of it, in cases where there is a risk that affected individuals will suffer negative consequences. In deciding whether a breach is reportable or not, you should look at factors such as the type of breach, the nature, volume and sensitivity of the compromised data, if it’s easy to identify the affected data subjects and what the consequences might be.
5. When do I have to inform affected individuals about a data breach?
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and ‘without undue delay’. So an assessment of the level of risk informs if, and when, you need to inform the individuals affected (i.e. the data subjects).
6. How do I inform individuals about a data breach?
As a general rule, you should inform data subjects personally. But if that would require too much effort compared to the risk the data breach exposes them to, you can make a public statement through the press, on the company website or post information on Twitter. You also need to consider the type of data that has been compromised – for example, if it’s email addresses, avoid informing by email.
7. Who should be in a response team following a breach?
Bringing together experienced staff from IT, Legal and Communications together with your data protection lead is a great start. We recommend you work through example scenarios in advance, to avoid allocating roles and responsibilities or have discussions about procedures as the incident happens.
8. When does the 72 hours’ reporting time limit begin?
Does the 72 hour reporting time limit begin from the data breach itself, the detection of the breach or the first internal reporting of the breach?
The regulation says that the data controller shall “without undue delay and, where feasible, no later than 72 hours after having become aware of it notify the personal data breach to the supervisory authority unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
A data controller is said to be aware when it has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. The countdown starts from your becoming aware with the “reasonable degree of certainty”.
9. How long should I retain the information of a data breach?
There are no fixed rules on this. Article 33 of GDPR says that: “The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article”.
In other words, if a regulator wants to see evidence of your compliance with your obligation under that section of GDPR you should have those records available.
10. If a person lives outside the EU, but his or hers data is lost in a European country. Is it reportable there?
This scenario would apply to many global companies. We suggest that the GDPR obligations on breach reporting only apply to the compromised data that relates to products or services being provided in the EU or to EU citizens. So if an overseas branch loses data that includes personal data of EU citizens or in any way is touched or processed by the UK operation, and there is a reportable breach, the UK regulator would need to be informed.
Do you have any other questions? Don’t hesitate to get in touch.
Comments are closed.