You never know when a personal data breach will hit you and your organisation. It might be just around the corner. It is crucial to understand that a lack of breaches in the past does not mean they will not happen at all. Therefore, be prepared and spare yourself the dire consequences (fines and reputation damages to name two) if you are not.
To prepare for a breach entails many things. What needs to happen to contain, document, assess and report the breach in the right way?
Prep work and first steps
Make sure that you have policies, routines and instructions in place that every person at your organisation is aware about. The least everyone should know is what data breaches are, that they are not to be taken lightly and the person they should report to as soon as possible. Once you detect a data breach in the organisation it is important to respond quickly. The clock is ticking from the moment your organisation has become aware of the breach.
But what does that mean? This point in time is reached when the organisation has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised, regardless of who within your organisation may come to discover the breach. If it turns out that the breach needs to be reported to the responsible supervisory authority this needs to happen no later than 72 hours after breach detection.
Awareness among employees and having a clear and efficiently functioning escalation chain in place is necessary to respond to a data breach. Depending on the size of your organisation, the length of your escalation chain may vary but generally the recommendation is to keep it as short as possible to avoid losing a lot of time by running it through too many instances. Additionally, it may be appropriate to use an internal reporting form to document the steps taken and so information doesn’t get lost on the way to the top.
Simultaneously with running the internal report up the chain, qualified personnel should take initial measures to contain the breach and limit the damage to what has already happened. This may mean to hotfix a bug, to shut down a breached system or to remotely wipe a lost device.
The incident response team
At the end of your escalation chain, an incident response team consisting of the stakeholders in your organisation should be found. This team will likely include your CEO and the heads of legal, IT and security and PR departments. The team will in first line be responsible for taking lead of the incident investigation, gathering all the important facts in the shortest time possible. It will then have to determine what position the organisation has to the affected personal data.
If this data was processed in the capacity of a data processor you have to inform the data controller on whose behalf you processes the data without undue delay. You should tell them about the nature of the breach (including categories and number of data subjects and of breached personal data records concerned), the likely consequences of the breach, the measures proposed or taken to address and mitigate the breach and its possible negative effects. Also include the name and contact details of the contact point where more information can be obtained. The data controller will then make further assessments if the breach needs to be reported to the supervisory authority, etc.
Assessing the risk
Is your organisation the data controller of the data? Then it needs to assess the data breach, evaluate the risks in connection to the breach. And then execute a response plan. Consider the following factors when assessing the risk to the rights and freedoms of the data subjects:
- The type of the breach
- The nature, sensitivity and volume of the personal data
- The ease of identification of data subjects (e.g. encryption/pseudonymisation)
- The severity of consequences for data subjects
- Special characteristics of the data subjects (e.g. minors)
- The number of data subjects
- The nature, role and activities of the organisation
- Any other factors that are relevant
The members of the incident management team should document and sign off the risk assessment method, its reasoning and its conclusions. The result of the risk assessment should include one of the following conclusions:
- No risk to the rights and freedoms of the data subjects
- A risk to the rights and freedoms of the data subjects
- A high risk to the rights and freedoms of the data subjects
More about this in Part II of this series!