If your business collects and determines the Personal Data as the Data Controller then there is duty under the GDPR to report personal data breaches if it results in high-risk to the individuals within 72 hours of becoming aware to the supervisory authority (Information Commissioner) in line with Article 33. In 2019 an unauthorised British Airways personal data breach under the GDPR received a notice to fine.
Dealing with a personal data breach allows your business to protect Data Subject (individuals) from further losses, alternations or unauthorised use. This can come from several areas from either malware, phishing to user or administration error.
Why Protect Personal Data?
One of the principles of data protection under the GDPR, Article 5(1)(f) is securing Personal Data which includes protection from losses, alternations or unauthorised use. The Data Controller needs to demonstrate this.
If suppliers are used by the Data Controller, they need to provide sufficient backing that they have necessary security mechanisms in place.
The business needs to take steps to ensure that security measures are in places which can protect against high-risk to the individual. The above should be reflected accordingly either in contract or relevant data protection addendum.
Reporting the Data Breach Incident
It may be that the first that your business hears of a personal data breach is from the customer. Once the individual learns of the breach this should go through proper incident reporting.
In your business, it should be made clear to all personnel where and who to reach out in order to report an incident. It also helps if there is information about this around the premises.
The Business Review of the Incident
Getting the key team members and stakeholders were required is going to be key to walking through the incident and the likely next steps needed to be taken.
In simple terms, once you establish the root cause of the Personal Data breach then you want to make the environment is secure. In parallel, you may also involve reviewing the technical and security measures which were adopted to protect the Personal Data initially and what needs to be enhanced.
The key thing here is going to be lessons learnt and the measures the business has put in place to prevent future occurrences.
Communicating with the Data Subjects
If you are the Data Controller if there is a high risk of impacting the Data Subject(s), then the Data Subject is to be notified of the breach without undue delay.
This communication needs to be detailed around the data breach incident the steps taken and any technical or organisational measures including encryption are implemented.
The regulator timeframes and the timeframes in a contract are something to be mindful of when waiting for information from suppliers or needing to notify the regulator.
When dealing with the regulator there it is also important to consider if there are exceptions being relied upon in relation to the timeframes.
As part of a breach, your business may be waiting for suppliers to provide input in terms of logs or any other supporting information. Whilst the enquiry in getting the source of this information may take some time to obtain this has to be something that needs the managed and escalated where required.
The supplier must notify the Data Controller if a breach occurs without undue delay.
Customer to be Notified
It is likely that the business management team will want to understand what has been signed up to in the contract with the customer.
If a Data breach does happen and the customer provided the collected data, then in line with the GDPR notice requirements to be given to the customer of the data breach. In contract, this should reflect the regulation.
Internal Breach Report
Following the incident meeting(s) reviews internally within your business, it would be natural to put a report document. This allows the business to formulate the high-level background information in relation to the incident and its cause.
Furthermore, it describes the breach as to what occurred. Then the steps which were taken by the business as the Data Processor and/or the customer as the Data Controller with appropriate security measures to protect the Data Subjects This report can also be provided alongside any other correspondence by the business.
Making it a Priority
If a personal data breach happens does this mean you have to drop everything? If you are leading the data breach internal review or are a member providing input, then it is likely to become a priority within your business. It can become somewhat a juggling act.
It could also mean that you may have to attend regular meetings or provide updates as requested by your business.
In summary, dealing with a Personal Data breach involves a few areas and requires each area support to gain access to additional information. This can be only achieved with commitment. This does take some time and effort to reach find out what went wrong before the breach can be put right. Along with the relevant parties being updated or notified.