Data breaches or data thefts happen to companies every day. But what do you do if you discover that, for example, an unencrypted USB memory stick containing sensitive data was lost or personal data was leaked in an attack on your IT? The EU General Data Protection Regulation (GDPR), defines the actions applicable to data breaches in Art. 33 and 34. You should therefore act quickly, but also carefully and in a legally sound way. Our action plan in the case of a data breach will help you do exactly this.
Step 1: Immediately detect data protection breaches
How quickly would you notice a data leak or data loss in your company? It is only possible to contain potential damages if you detect incidents as quickly as possible and take appropriate countermeasures. Both the company`s IT department and employees should therefore be sensitised for any irregularities. Check whether appropriate technical precautions against information security breaches have been implemented and whether unusual events are taken seriously and checked by those in charge.
- Is there a warning for failed login attempts and unauthorized access to the file system? How are such events handled? Is data traffic monitored? How are irregularities handled?
- To what extent are central servers checked regularly? Are employees sufficiently sensitised so they are able to detect data breaches?
- How are the reporting channels for data breaches defined and are they communicated to all employees?
- Is there a central policy on data protection incidents?
Step 2: Control the situation by implementing an Incident-Response-Management system
Of course, to be able to adequately respond to an incident, you must first identify what has happened. Clear responsibilities should therefore be defined. For example, if you discover that your website has been hacked: Who can be contacted 24/7 to fix the vulnerability and immediately check what data was accessed? Are all other employees informed about who they can contact and who they have to inform?
The best approach is to create an emergency list with all contact persons and their details, especially the data protection officer (DPO). The aim is to establish an incident-response-management-system that expedites the flow of relevant information to contain the breach.
Step 3: Observe legal obligations under Art. 33 and Art. 34 GDPR
According to Art. 33 GDPR, a breach of personal data protection must be reported to the competent supervisory authority without delay and, if possible, within 72 hours. For this purpose, the majority of supervisory authorities have created online forms. In the United Kingdom, the ICO can be notified of a data breach here.
Notification can only be waived if a violation “is not likely to result in a risk to the rights and freedoms of natural persons” and therefore requires the controller to take a forecast decision.
The crucial factors in risk assessment are potential negative consequences for individuals, such as emotional distress and physical and material damage. Consequently, you need to examine case-by-case whether the breach caused a mere inconvenience or will significantly affect data subjects. For example, you will not need to inform ICO about losing your employees’ phone list, but you must notify the authorities if your customer financial database was stolen. You will find more information and examples in section IV of WP29 guidelines on personal data breach notification, which has been endorsed by the European Data Protection Board.
If controllers are unsure whether or not to report a breach, they may use the self-assessment for data breaches tool available on the ICO’s website.
If the risk assessment reveals that the breach is likely to result in a high risk to the rights and freedoms of natural persons, Art. 34 GDPR also requires you to directly inform the concerned data subjects.
However, handling a data breach by no means ends with the reporting to the supervisory authority and, if necessary, the restoration of business as usual. Even at the time of notification, you will already be asked which measures have been taken to mitigate the risk. Part of the documentation of the data protection emergency is therefore also the review and implementation of measures that can prevent a similar breach in the future.
Even if the performed risk assessment does not result in a breach notification, the identified incident must nevertheless be documented according to Art. 33 (5) GDPR. This serves to inform the supervisory authority about the reasoning for taking such a decision in the case of an investigation.
An important point is to also involve your data protection officer early on, especially in the event of data breaches. He or she can provide neutral assistance in risk assessment and ultimately in his or her function as an independent adviser, making an indispensable contribution to the correct handling of the incident by the company.