If your business collects and determines the personal data (such as phone numbers, email addresses etc) as the data controller then there is duty under the GDPR to report personal data breaches if it results in high-risk to the individuals within 72 hours of becoming aware to the regulator (Information Commissioner or supervisory authority) in line with GDPR Article 33 as part of breach notification. In 2019, stolen customer data lead to the British Airways data breach under the GDPR received a notice to fine due to cyber security incident.
Dealing with a data breach allows your business to protect the data subject ( affected individuals) from further losses, alternations or unauthorised disclosure of personal information or sensitive data. This can come from several areas from either malware, phishing to the user (form of cyber attack or ransomware attack) or administration error.
Why protect personal data?
One of the principles of data protection under Article 5(1)(f) of GDPR, is securing personal data which includes protection from losses, alternations or unauthorised use to prevent a security breach. The data controller needs to demonstrate this.
If suppliers are used by the data controller, they need to provide sufficient backing that they have the necessary security mechanisms in place.
The business needs to take steps to ensure that security measures are in places which can protect against high-risk to the individual. The above should be reflected accordingly either in contract or relevant data protection agreement.
Report the data breach incident
It may be from the customer that your business hears of a data breach breach related to personal data. Once the individual learns of the breaches of data protection this should go through proper incident management reporting internally including where reqired the data protection officer.
In your business, it should be made clear to all personnel where and who to reach out in order to report an data protection breach incident. It also helps if there is information about this around the premises.
Review the data protection breach
Getting the team members and key stakeholders were required is going to be crucial to walking through the incident and the likely next steps needed to be taken.
In simple terms, once you establish the root cause of the personal data breach then you want to make the environment is secure. In parallel, you may also involve reviewing the technical and security measures which were adopted to protect the personal data initially and what needs to be enhanced.
The key thing here is going to be lessons learnt and the measures the business has put in place to prevent future occurrences.
Data controller contacts the data subject
If you are the data controller if there is a high risk of impacting the data subject, then the data subject is to be notified of the data breach.
This communication needs to be detailed around the data breach or cybersecurity incident the steps taken and any technical or organisational measures including where any encryption is implemented.
Response time frames for regulator
The regulator time frames as mentioned above and the notification times in a contract are something to be mindful of when waiting for information from suppliers or needing to notify the information commissioner or supervisory authority. Be mindful that there may be different notification times to consider also mentioned in the electronic communication Directive.
When dealing with the regualtor there it is also important to consider if there are exceptions being relied upon in relation to the timeframes.
Supplier data protection breach information
As part of a data protection breach, your business may be waiting for suppliers to provide input in terms of logs or any other supporting information. Whilst the enquiry in getting the source of this information may take some time to obtain this has to be something that needs the managed and escalated where required.
The supplier must notify the data controller if breaches of data protection occurs without undue delay.
Supplier report data breach to customer
It is likely that the business will want to understand what has been signed up to in the contract with the customer.
If a data breach does happen and the customer provided the collected personal data, then in line with the notice requirements the supplier is to inform the customer of the data breach. In contract, this should reflect the regulation requirements.
Internal data breach report
Following the incident meeting(s) reviews internally within your business, it would be natural to put a report document. This allows the business to formulate the high-level background information in relation to the incident and its cause.
Furthermore, it describes the breaches of data protection as to what occurred. Then the steps which were taken by the business as the data processor and/or the customer as the data controller with appropriate security measures to protect the data subject. This report can also be provided alongside any other correspondence by the business.
Making it a priority
If a personal data breach happens does this mean you have to drop everything? If you are leading the data breach internal review or are a member providing input, then it is likely to become a priority within your business. It can become somewhat a juggling act.
It could also mean that you may have to attend regular meetings or provide updates as requested by your business.
In summary, dealing with a personal data breach involves a few areas and requires each area support to gain access to additional information. This can be only achieved with commitment. This does take some time and effort to reach find out what went wrong before the breach can be put right. Along with the relevant parties being updated or notified.
Your business may have support requirement in one or more area why not talk to us and see if can assist with your data protection or the GDPR with our consultancy data protection service by emailing firstname.lastname@example.org or request a proposal from us.Get Your Free Consultation