It is virtually impossible for any organisation to eliminate the chance of a data breach happening ever. But what every organisation can do is take all steps necessary to minimise the risk of a data breach happening. This, combined with being prepared and knowing what action to take if a data breach does occur will lessen its effects.
Organisations using the Privacy Compliance Hub know what they must do if they suffer a data breach, who is responsible for doing it and when it must be done by, all of which will limit the risk of fines, bad publicity and loss of vital customer trust. Planning ahead will free up valuable time to contain and recover the breach itself.
Types of personal data breach (‘CIA’)
A personal data breach is not just unauthorised disclosure or access to personal information (a ‘confidentiality’ breach). It also includes loss or destruction of personal information (an ‘availability’ breach) and alteration of personal information (an ‘integrity’ breach).
When, who and how to notify a personal data breach
Organisations must notify certain personal data breaches to the regulator (also called a relevant supervisory authority such as the ICO in the UK) and sometimes to the affected individuals as well. Failure to notify a data breach when required is itself a breach of the GDPR. The ICO has a useful self-assessment tool to help organisations determine whether a breach needs to be reported.
Notification to the regulator
All organisations are required to notify the relevant supervisory authority (the ICO in the UK):
- if a data breach is likely to result in a risk to the rights and freedoms of individuals (the severity of the potential impact on individuals as well as the likelihood of it occurring should be considered);
- without undue delay and, where feasible, within 72 hours; and
- in phases, if need be, as more information becomes available. An organisation should not wait to notify until it has all the relevant facts.
Notification to affected individuals
The individuals whose personal information has been compromised must also be notified:
- if the breach is likely to result in a high risk to the rights and freedoms of individuals eg. they are at risk of discrimination, physical harm, identity theft or fraud, financial loss or damage to reputation (completed data protection impact assessments will assist in assessing the risk level);
- without undue delay and informed of the steps they should take to protect themselves eg. change their passwords.
How to prepare for a personal data breach
- Have an up-to-date internal breach reporting procedure and an incident management plan – so you know exactly who needs to do what and when if you have a breach.
- Identify the Lead Supervisory Authority identified in your incident management plan If you undertake cross-border processing in the EU.
- Check that your processors are contractually obliged to notify you immediately of any breaches – data breaches must be notified to the supervisory authority as soon as possible and generally within 72 hours.
- Ensure you have adequate security measures in place so that even if you suffer a security breach, personal information is not compromised.
- Train all your staff regularly – the majority of breaches happen due to staff carelessness, not because of hackers.
- Document everything – maintain a record of data breaches which includes reasons for any decision to notify or not. The GDPR mandates that all personal data breaches must be documented.
A culture of continuous compliance
In our view, the very best way to reduce the risk of a personal data breach happening and to minimise its effects if it does happen is through a cultural shift in your organisation. At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information. Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with the GDPR and other privacy rules. It contains everything that you need.