Organisations face increased penalties when they fail to detect and report data breaches in a timely manner. Be it a large-scale cyber-attack or a bcc blunder, delays in notifying will be taken into account when calculating administrative fines. In the event of a breach, data controllers must report to their Supervisory Authority within 72 hours, and data processors must notify the data controller without undue delay. Where a company fails to officially report an incident to a supervisory authority, only for it to then be independently reported by an employee, it will be in breach of notification requirements under GDPR. The roles of both internal and external reporting are crucial and mutually dependent for effective compliance with breach notification requirements. In this article we look at the key elements of organisational whistleblowing solutions as well as discuss how internal reporting infrastructures can support effective procedures for breach notification.
Data breach reports have over doubled
In the UK, the number of whistleblower reports of data breaches to the UK supervisory authority, the Information Commissioner’s Office (ICO), have almost tripled since the coming into force of the GDPR. The ICO has actively encouraged whistleblowers to report data breaches and non-compliance. Internal whistleblowing of data breaches often indicates that there are systemic problems within an organisation. Employees tend to report externally as a last resort, and when they no longer believe internal reporting will galvanise change or are able to alter the status quo. As a result, offering effective means of internal reporting can be the change needed to avoid damage to an organisation’s public image.
EU breach notification requirements
In several member states, breach notification was a requirement prior to GDPR. In the Netherlands as of January 2016, failure to report a data breach could give rise to administrative fines of up to €820,000 under the Dutch Data Protection Act (WBP). Section 34a(1) of the WBP obliges data controllers to notify the Dutch Supervisory Authority (Autoriteit Persoonsgegevens, APG) of a security breach ‘which results in a substantial probability of serious adverse consequences or which has serious adverse consequences for the protection of personal data.’
However, the EU has made a point of making this a standard legal requirement throughout the EU. Under GDPR, businesses must report a data breach within 72 hours of it occurring. In this time frame, businesses will need to assess whether the incident constitutes a reportable breach, investigate the incident and set in motion damage control and preventative measures. The 72-hour reporting window applies as soon as the controller or processor is aware of the breach. This means that if the breach occurs on the end of the data processor, data controllers can lose time as a result of slow detection and reporting on the data processor’s behalf. In order to meet these deadlines, it is imperative that businesses have a strategy in place for reporting, and are aware of the expected process to be followed by their Supervisory Authority. In Ireland, they must fill out an online form accessible via the Data Protection Commissioner’s (DPC) website. Simply being familiar with the reporting procedure and the information that authorities will request, can accelerate this process.
The EU also echoes the same breach reporting expectations in other privacy and data security domains. For example, similar breach notification requirements exist under the NIS directive, which creates security obligations for operators of essential services and digital service providers. Under Article 14 (NIS) ‘Member States shall ensure that operators of essential services notify, without undue delay… incidents having a significant impact on the continuity of the essential services they provide.’ The NIS directive is currently in the process of being implemented at member state level, but once in place will apply to a broad number of operators of search engines, online marketplaces and cloud computing services.
How are businesses approaching their breach notification responsibilities?
Addressing the risk: incident response plans (IRPs)
A key method of ensuring businesses can meet breach notification obligations is to build comprehensive data breach incident response plans (IRPs). IRPs serve as a mechanism for self-regulation and data protection authorities across Europe recommend that these are put in place in order to limit damage flowing from a breach.
In brief, an IRP is a suite of policies, procedures and documented decision-making which fall into two broad categories:
- how do you prevent, detect, report, investigate and assess whether a (personal data) breach has or is likely to occur? and,
- how, in the event of a data breach, will a business go about communicating externally to a supervisory authority or data subject the necessary information, and in the specified time-frame?
Engaging employees: creating a speak-up culture
Fostering a culture of internal reporting plays a key role in developing the necessary transparency for an IRP to be effective. Internal reporting channels mitigate the urge for employees to report externally, and may prevent reportable incidents occurring in the first place. A data breach only needs to be notified to the Supervisory Authorities if it is ‘likely to result in a risk to the rights and freedoms of individuals. Unless an incident is a cut and dried data breach, organisations must engage in an evaluation of whether a breach merits reporting. Pre-emptive assessments of what constitutes a breach for your business will save valuable time in the event of a breach. In the same vein, early detection of incidents gives businesses extra time to assess whether they will:
- Identify an incident and conclude it is not a data breach, in which case there is no issue, or
- Conclude that an incident is a data breach, but not one would require notification to the Supervisory Authority. Subsequently taking mitigating measures to prevent this from happening again, or
- Identify that the incident is a reportable breach, and inform the authorities immediately. Simultaneously working to remediate and contain the damage.
EU whistleblower protection proposal: three tiers
The importance of internal reporting is supported by the three-tiered system put forward under the EU Whistleblower protection proposal, which is anticipated to become law already this year, requiring implementation at member state level by 2021. The proposed whistleblower protection Directive applies to breaches in a number of EU regulated domains, including the ‘protection of privacy and personal data and security of network and information systems’. A broad group of organisations would fall under the scope of the legislation, which applies to all companies with more than 50 employees or with an annual turnover of over €10 million. Employers in scope of the Directive must set up whistleblower channels in three tiers:
- Internal reporting
- External reporting to competent authorities (for instances where tier 1 does not work), and,
- Public reporting (if appropriate action is not taken during tier 1 and 2, or if there is a clear danger to public interest.
The value of reporting is well outlined by the proposal drafters: ‘It is necessary to ensure that the information gets to the persons who can contribute to the early and effective resolution of risks to the public interest as well as to prevent unjustified reputational damage from public disclosure.’
Creating a culture of internal reporting comes with inherent challenges. Employees often fear that reporting an incident could lead to reprisal or disciplinary actions. To create an environment where employees feel comfortable, it is important to have a broad array of technical security measures in place. These should facilitate reporting and protect the whistleblower and any information exchanged as part of the internal reporting procedure. Potential whistleblowers should be informed that they are not going to be penalised for reporting an incident in good faith and that they can remain completely anonymous. Senior management and the board should embrace and advocate the possibility of whistleblowing and underline its value for the organisation.
It is essential to address received reports in a timely manner so that the person reporting knows their concerns are being dealt with. A three-month time frame for addressing reported issues has been suggested in the EU whistleblower Directive proposal. Practice shows that most organisations manage to maintain a response time of less than two weeks.
In order to achieve an effective internal reporting environment, there must be clear policies in place. It is important that the policies, including non-retaliation, are easily available and connected to the organisation’s Code of Conduct. Additionally, the whistleblowing procedure must be communicated to new employees, and existing employees must be kept up to date regarding organisational whistleblowing.
It is also essential to offer straightforward reporting channels and to designate contact persons who are also available out of hours. A short-cut route to the organisation’s Data Protection Officer (DPO) must be available for high-priority risks. The people designated to deal with incoming reports must also be experts in their field and up to date with the latest legal developments. It is crucial that everyone is on the same page and that all employees and senior management receive training that clarifies, in particular:
- the types of incidents that would be reportable,
- the name and contact details of incident response teams per department, and
- the persons tasked with reviewing and, where necessary, internally escalating incident reports.
A large proportion of incident reports will not be data breaches. However if employees receive the right training, these reports should contain the relevant information and tell-tale signs that a breach is likely to occur, and prevent the need for breach notification to supervisory authorities at all. Professional whistleblowing software can be leveraged to encourage internal reporting. By automating the process, employees are likely to perceive the reporting process as less daunting, and in turn report on more events at an earlier stage. The cloud-based WhistleB whistleblowing solution, with its expanding array of functionalities, facilitates compliance with data protection laws such as the GDPR. This not only enables easy reporting and sharing of documents, but also allows for a high level of case management and report analysis.
Consultancy: tailored advice and assessments
Don’t forget to conduct a DPIA
The use of SaaS and cloud products are increasingly popular; as agile and cost-efficient solutions, they are capable of resolving many organisational pain-points. However, while resolving internal reporting limitations will enhance breach notification compliance, care must be taken not to disrupt the processed data protection compliance in other areas of your data protection or GDPR program. When introducing a new product into your organisation that processes personal data, you must be able to demonstrate that all privacy and data protection implications have been identified in advance of deployment.
Under the GDPR, a Data Protection Impact Assessment must be conducted when processing is deemed ‘high risk’. A DPIA must assess and document the risks, necessity and proportionality of processing, and put in place appropriate mitigating measures where necessary. DPIAs must be genuine assessments of privacy impact. A consistent method must be adopted and there must be a mechanism for relevant stakeholders to be alerted and consulted in time. In order to streamline this process, a set of criteria can be established to address key considerations, in particular;
- a) a set of screening questions to establish the circumstances in which a DPIA is necessary and to incorporate this into your employee data protection training.
- b) a list of the most valuable data assets for your organisation, mapped against your risk-register, which are to be viewed alongside your DPIA.