Previously on the GDPR Advent Calendar… my client “Nick” is head of an organisation which manufactures and delivers toys and treats to children all around the world, managing their contact details and associated information about behaviour and activities through an external data processor. This External Logistics Force (“ELF”) have identified a data breach involving a portion of the childrens’ records being exposed via an unencrypted and publicly accessible cloud server. All of that was yesterday. Now, let’s open Door 2…
The experience of any organisation during the first 24 hours after identifying a major data breach can vary significantly, depending on the extent to which appropriate procedures are already in place. For an organisation which has not anticipated the possibility of a breach, very little might be achieved during that initial period. The person discovering the breach might be afraid to report it, fearful that they should have discovered it sooner. They might not know who to inform about their discovery. Even if reported up to an appropriate senior colleague, there is likely to be a hiatus caused by uncertainty about what the priorities are. Finding appropriate guidance and educating themselves about how they should respond can tie up valuable time and effort across the business.
This in turn has further implications. It is coming to be recognised that for most organisations, the question is when, not if, they will suffer a data breach. Consequently focus is increasingly turning to the way in which the organisation deals with the breach following its discovery. As such, behaviour during that early period after detection can have an enormous reputational impact. It can also of course make a significant difference to the extent of the impact on the data subjects in question.
Fortunately, Nick’s organisation had given some thought to the risks of a breach, and put in place a clear procedure for incident response, as follows.
Step 1: a message is sent to the designated individuals (and their alternates, in case of illness or absence on leave) from a range of teams across the organisation. These include a technical specialist, a risk manager, someone from the finance team and the response leader, who is someone from the senior management of the organisation. Sometimes external advisors will be included in this team: because Nick does not have an in-house legal function, that initial message also comes to me and it also alerts his PR company.
Step 2: their procedure next requires them to identify whether the breach is ongoing, and to shut it down. A message is sent to ELF asking them to secure the data and a response comes back explaining that in order to limit the risk they have already deleted all of the data on the public-facing server and have also run a check to make sure that there are no other categories of data which have been similarly compromised. We will come back to the implications of that course of action in a later post.
Step 3: the next step is to establish the severity and extent of the breach – a further message is sent to ELF asking for the number of data subjects affected, the range of information about each of them which has been potentially exposed, the duration of the breach and any information about access to the server within the period of the data being exposed. By the end of Day 2 (which, to be fair, is a Saturday after all) no response has been received to this enquiry.
Come back tomorrow as we go back to first principles and spend some time exploring exactly what amounts to “personal data” and “processing”…