Data breach protocols - what to do when things go wrong
With each mountain climbing expedition, there are risk factors you cannot control. Since it is impossible to predict what may go wrong, you will need to know what to do in case of an emergency. A key part is knowing how and when to contact the Search and Rescue Support. Your journey to GDPR compliance involves a similar scenario.
The majority of data breaches is caused by human errors. You need to be prepared for unforeseen incidents due to random theft of a briefcase or phone as well as brutal cyber attacks. After becoming aware of a data breach, you have 72 hours to report it to the Data Protection Authority. GDPR Article 33 specifies what type of information the notification must include. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform the affected individuals without undue delay.
Following the mandatory guidelines
The Incident Response Protocol (IRP) dictates how to act. It defines who needs to be notified and under what timelines, by whom and what kind of details need to be disclosed. The IRP ensures that all members of the Incident Response Team (IRT) understand their respective roles and responsibilities, and how they fit into the overall process. It also explains how to follow the mandatory guidelines and to operate within the required response time.
When a data breach occurs, you need to find out the following:
- How was the information compromised
- Was it a threat from the inside?
- Was the data disclosure inadvertent and unintentional?
- Was the intent to bring harm to the organization or individual
- Was it a threat from the outside?
- Was it a random theft, with no indication that information was targeted?
- Was it targeted at specific information?
- What information has been compromised?
- Was it an isolated incident or a recurring pattern?
- Has the leak been found and stopped?
What you need to do
The breach detection procedure involves the following three steps:
- Breach registration: determine whether valuable and sensitive data was compromised.
- Breach analysis: determine the severity of the breach and decide what actions to take, how to mitigate the risk, who to report to and how to fix the leak.
- Breach response/remediation: fix the leak and document the updated working process to ensure that you learn from this incident.
Making the 72 hour deadline
Needless to say that Incident Response Team Members have to be available on a 24x7x365 basis. Hand-over moments need to be smooth, precise and executed within the shortest timeframe possible. There is no time for hesitation or doubt. If you fail to meet the 72 hour deadline you will have a hard time explaining it to the data breach victims, authorities and your other stakeholders.
Privacy Sherpas at your service
What to do when you find it hard to finish the climb towards GDPR compliance? Or to start improving your breach detection and incident response efforts? Don’t hesitate to contact DPA Privacy. We can harness a large pool of Privacy Sherpas. They have expert knowledge and practical experience to guide you through the process of setting up a data breach protocol and embedding it in your organization.