It’s time to discuss one of the horrible truths of data protection and cybersecurity. This is that breaches will happen, no matter how many steps and procedures you put in place to avoid them. This is because systems are designed, built and run by people and people are not flawless. People make mistakes and this can lead to a data breach.This is why, no matter how strong your data protection policy is, you need a plan of action just in case the dreaded incident happens and your company suffers from a data breach. The implications of a breach go far beyond a potential GDPR fine and extend into serious reputational damage for your business. Your main concern shouldn’t be the legal implications, but the potential consequences for your business. Whilst GDPR compliance often focuses on the threat of huge fines that can result from a breach and preventing the breach. Less commonly discussed and equally important are the the steps that must be taken when a breach occurs.The best way to prepare for a data security breach is to accept it as an inevitability and plan accordingly. No matter how many security protocols and steps you put in place, there is always the chance that someone will get around your systems or (more likely) that someone in your team will make a mistake and a breach will occur.
The backgroundSince the GDPR came into law with the UK’s Data Protection Act of 2018, there has been considerable noise about what it means for businesses. In reality, things are still evolving and we don’t fully know yet. The true consequences of the GDPR will be determined by case law, which will take several years to emerge. The Information Commissioner’s Office (ICO) in the UK is still finding its feet when it comes to enforcing compliance and is taking a relatively slow approach when it comes to sanctioning companies.For this reason, it’s important to see the GDPR as a framework that can help you get you get adequate data security protection and mitigation measures in place.
Your Legal ObligationsAfter a breach occurs, you have 72 hours to inform the relevant GDPR regulator in the country where the breach took place. In the UK, this means the ICO. The ICO has devel self-assessment tool to help companies determine whether the breach t is reportable or not.
Putting Together Your PlanWhat the ICO doesn’t provide is a plan for dealing with a data breach. If you don’t have one, then you should start to make one now. The last thing that you want to be doing when you are dealing with the reputational fallout that accompanies a data breach is working out the practical steps that you need to take.If you can assign distinct responsibilities to everyone on your team and make it clear to them what they are it will save time in mitigating the impact of the breach. If members of your team already use an existing agile methodology or something similar then use this framework for your GDPR response plan.Remember there are a number of steps that you are required to take by law in the event of a data breach:
- Determine if you must inform the regulatory authority and do so if required.
- Ensure that the breach is repaired and no further information can be compromised.
- Determine if you must inform your customers and do so if required.