You never know when a personal data breach will hit you and your organisation. It might be just around the corner. It is crucial to understand that a lack of breaches in the past does not mean they will not happen at all. Therefore, be prepared and spare yourself the dire consequences (fines and reputation damages to name but two) if you are not.
To prepare for a breach entails being aware of the things that need to happen to contain, document, assess and report the breach in the right way.
Prep work and first steps
First of all, make sure that you have policies, routines and instructions in place that every person at your organisation is aware about. The least everyone should know is what breaches are, that they are not to be taken lightly and the person they should report to as soon as possible. Responding quickly once a breach is detected in your organisation is of the essence. The clock is ticking from the moment your organisation has become aware of the breach. But what does that mean? This point in time is reached when the organisation has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised, regardless of who within your organisation may come to discover the breach. If it turns out that the breach needs to be reported to the responsible supervisory authority this needs to happen no later than 72 hours after breach detection.
Awareness among employees and having a clear and efficiently functioning escalation chain in place is necessary to respond to a breach. Depending on the size of your organisation, the length of your escalation chain may vary but generally it is recommended to keep it as short as possible to avoid losing a lot of time by running it through too many instances. Additionally, it may be appropriate to use an internal reporting form to document the steps taken and so information doesn’t get lost on the way to the top.
Simultaneously with running the internal report up the chain, qualified personnel should take initial measures to contain the breach and limit the damage to what has already happened. This may mean to hotfix a bug, to shut down a breached system or to remotely wipe a lost device.
The incident response team
At the end of your escalation chain, an incident response team consisting of the stakeholders in your organisation should be found. This team will likely include your CEO and the heads of legal, IT and security and PR departments. The team will in first line be responsible for taking lead of the incident investigation, gathering all the important facts in the shortest time possible. It will then have to determine what position the organisation has to the affected personal data.
If this data was processed in the capacity of a data processor you have to inform the data controller on whose behalf you processes the data without undue delay about the nature of the breach (incl. categories and number of data subjects and of breached personal data records concerned), the likely consequences of the breach, the measures proposed or taken to address and mitigate the breach and its possible negative effects, and the name and contact details of the contact point where more information can be obtained. The data controller will then make further assessments if the breach needs to be reported to the supervisory authority, etc.
If your organisation is the data controller of the data, it needs to assess the breach, evaluate the risks in connection to the breach and execute a response plan. Factors to be considered when assessing the risk to the rights and freedoms of the data subjects include:
- The type of the breach
- The nature, sensitivity and volume of the personal data
- The ease of identification of data subjects (e.g. encryption/pseudonymisation)
- The severity of consequences for data subjects
- Special characteristics of the data subjects (e.g. minors)
- The number of data subjects
- The nature, role and activities of the organisation
- Any other factors that are deemed to be relevant
The risk assessment method, its reasoning and its conclusions should be fully documented and signed off by the members of the incident management team. The result of the risk assessment should include one of the following conclusions:
- There is no risk to the rights and freedoms of the data subjects
- There is a risk to the rights and freedoms of the data subjects
- There is a high risk to the rights and freedoms of the data subjects
More about this in Part II of this series!