A data breach is an incident that exposes confidential or protected information containing personal data. It involves all situations in which information is accessed without authorization.
It can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This means any personal data that is stored, processed or transmitted.
Data breaches can hurt your business and your customers in a variety of ways. They can be costly and can negatively influence lives and reputations.
It includes more than just losing personal data. Personal data breaches can include:
- Access by an unauthorized third party.
- Deliberate or accidental action by a controller or processor.
- Sending personal data to an incorrect recipient (e.g. sent to the wrong email address).
- Devices being lost or stolen that contained personal data (e.g. laptops and mobile phones).
- Alteration of personal data without permission.
Under GDPR, obligations have been imposed for all businesses to report major types of personal data breaches to authorities. This must be done within 72 hours of the business becoming aware of the breach.
RECORD TIME AND DATE
Authorities, media, labour organizations, customers and employees may ask you, later in the process, how you reacted to the data breach. In order to have a sound answer that is convincing, start recording all actions from the start. This begins with the time and date when you get notified about the data breach. It is also important evidence to prove that you met the mandatory 72 hours response time.
CALL AND INTERVIEW REPORTER
It is most important that you call the reporter of the breach. It is the best way to collect all important detailed information.
Don’t lose valuable time.
Don’t respond via email.
CLOSE THE GAP!
If the incident is indeed a data breach: close the gap first!
You probably will need help from your IT colleagues, so involve them from scratch.
QUALIFICATION OF THE BREACH
To choose the right level of alarm, you have to determine what kind of personal data the incident regards.
The GDPR (Art. 4, 12-15) mentions 4 kinds:
- personal data
- genetic data
- biometric data
- data concerning health
Also the possible impact of the breach has to be determined.
An email with personal data send to the wrong person is a data breach, but not as alarming as an unprotected shared server with personal data that is exposed to the internet.
FOLLOW THE DATA BREACH PROTOCOL
To be in control when a data breach occurs, a data breach protocol must be in place that is approved by legal, IT and the communication department, and authorized by senior management.
A data breach will not always cling to working hours, so your data breach protocol must contain the cellphone numbers of key persons that may be needed to close the gap.
Your data breach protocol must contain a checklist to make sure that all required steps will be followed and that you will not lose time or do not receive important information.
It’s important that all persons involved in securing the data breach have knowledge of this protocol. We even advise that all involved people will sign the data breach protocol for reading and understanding.
REPORT TO SUBJECTS AND/OR AUTHORITIES (IF NEEDED)
After you collected all required information and completed the checklist from your data breach protocol, you have to determine if you need to report the breach to the authorities and/or to the people whose personal data is involved (the data subjects).
Reporting to data subjects can be done by sending a mail to them individually, by releasing a public statement, like a press release or a statement on your website or by any other means. Whatever is appropriate for the impact of the data breach on them.
Reporting to authorities must be done to the authority of the country where the most involved subjects reside. It may be sensible to report to authorities in other countries as well.
For GDPR, it is mandatory for you to report a data breach when you and your team judge that the incident is a data breach and can have a big impact on persons involved. The way how you report the data breach can have great consequences, both on your reputation, your business and the possible fines authorities impose on you.
Be clear and be honest, but use the right wording.
DATA BREACH FLOW
Resolving all effects of a data breach can take a serious amount of time.
- Authorities may ask additional questions.
- Media might start publishing about it.
- IT might not be sure all gaps are covered at once.
Keep on monitoring activities on the data breach to make sure all aspects are handled properly until you are sure you are safe again. You might want to appoint a dedicated person to be in charge of this. A DPO or privacy officer is a natural candidate, if such a function exist in your company.
But of course, it might also be a small data breach with little impact on your company and the people involved. In that case, recording the data breach will be a small effort.