Writing for Business Advice ahead of new data protection laws, Richard Agnew, UK and Northern Europe vice president at cloud platform Code42, offers company owners a guide for responding to a data breach and avoiding a GDPR fine.
Imagine this: Your IT team informs you that a data breach has been detected, exposing the personal data of clients, prospects and indeed anyone who has submitted information through your website. Terrifying for any organisation, right?
Once detected, you only have 72 hours to inform regulatory authorities about the breach, and they’re going to want to know all the “who, what, when and where” details about the exposed data.
This is the reality facing companies under the European Union’s General Data Protection Regulation (GDPR). From the moment a data vulnerability that exposes the personal data of a EU citizen is discovered, those precious seconds start ticking away.
To facilitate GDPR compliance, organisations that process or hold personal data of EU citizens need a comprehensive incident response plan. They also need technology that can rapidly identify what information was exposed. With a swift response protocol, the right team and visibility over data, dealing with security incidents in a compliant manner should be achievable.
But one question remains. “How should companies structure their incident response policies to ensure GDPR compliance?” When executed correctly, the following five steps can help your organisation respond to a breach and avoid fines.
Sound the alarm
IT security professionals within your business are alerted by the security solutions they have in place to the potential compromise of personal data. Ideally, the security solution should be a multi-layered stack comprised of a data loss protection tool (DLP), cloud access security broker (CASB) and an endpoint detection and response tool (EDR).
But, absolutely essential is a solution that can quickly flag unusual data traffic and send an automated alert to IT. Under the GDPR, ignorance of a data breach is not a get-out-of-jail-free card. Therefore, visibility of data across all endpoints is crucial.
The 72-hour countdown begins
Your IT team examines the breach notification. If personal data of EU citizens has been compromised, the hourglass is overturned, and you have 72 hours to inform the GDPR regulatory authority. However, if personal information was not exposed, there is no need to inform the regulatory authority and you can correct the issue within the confines of your organisation.
Hyper awareness of data content
Your security team identifies the content of the exfiltrated data. If it is found to contain personal information of EU citizens, then it is time to take action and respond. You need to establish the extent of the breach and take steps to limit the damage.
Having a comprehensive data visibility tool in place makes it far easier and faster to determine whether the breach involves regulated data, and can prevent unnecessarily informing the authorities if regulated data was not involved.
Covering all the bases
If personal data has been compromised, your company needs to escalate measures beyond the initial response team to include an interdepartmental group. The legal department, PR personnel, risk owners and asset owners should be involved.
An incident post-mortem will be conducted by your Data Protection Officer (DPO) — the person responsible for liaising with regulatory officials. Under the GDPR, most companies are required to have an elected DPO, either as a standalone position or as part of someone’s existing duties.
Informing the authorities
Following breach identification, your DPO will notify GDPR regulators of the incident and the compliance investigation process will begin. The investigation will be undertaken by a regulatory board based on your company’s region or country of origin.
With business owners across Britain preoccupied with GDPR compliance ahead of next month’s introduction, its forgotten sibling – the so-called “cookie law” – could also change the way brands communicate with consumers and collect data.
Keeping customers updated
Informing the public, and more importantly your organisation’s customers, about a data breach is not part of the 72-hour rule. However, the regulation asserts that stakeholders should be informed “without undue delay.” There is an element of ambiguity here. The interpretations of the regulation will become more clear once the GDPR has been enacted in May and investigations have taken place.
A vital aspect of GDPR preparation is pre-planning communications to your stakeholders, including the language you will use to inform them about a breach. Pre-written commentary, established approval chains, and documentation of the investigation, response and recovery processes will all streamline the customer notification process.
GDPR regulatory bodies may take a more lenient approach in the immediate weeks and months following implementation, whilst organisations adapt to the legislation. However, this is far from certain, and companies shouldn’t rely on the benevolence of the authorities. Regulators could easily take the opposite approach and make an example of companies as a deterrent to others.
With heavy fines – and your company’s reputation – at stake, companies would be well served to do everything within their power to keep compliance front of mind now and in the future.
The 72-hour countdown to reporting is daunting for companies, but compliance need not be if they have a skilled response team, technology solutions and a sound response plan in place. This should give organisations the confidence they need to ensure ongoing compliance and minimise risk to their business.
Sign up to our newsletter to get the latest from Business Advice.