March 08, 2019

Responding to a Data Breach Under GDPR

Most firms should, by now, be familiar with the ways in which collecting data about internet users has been affected by the EU General Data Protection Regulation (GDPR). At the very least, they should have checked their cookies and confirmed their mailing lists.
But the impact of the new regulation is more profound and far reaching. What, for example, does GDPR require if a company discovers a criminal has breached its systems and stolen personally identifying information (PII) such as email addresses, credit card details or identity documents?

The importance of reporting an incident

Companies should know there is a strict 72-hour deadline from discovery of a data breach before it has to be reported to the data commissioner (in the UK, this is the Information Commissioner’s Office, or ICO). But data doesn’t actually have to be stolen in order for a security incident to qualify for mandatory reporting. If PII is corrupted or destroyed, for example in a ransomware attack, the commissioner should still be informed.
And while not all security incidents need to be reported, if, in the course of an investigation regarding a PII breach, the commissioner discovers that previous issues were ignored or not fully investigated, any punitive actions taken are likely to be that bit more severe. The fine for not correctly reporting a breach is 10 million Euros, or 2% of total turnover.

What measures have been taken to rectify a breach?

Reporting a breach to the commissioner is only part of the process following a breach. Under Article 33, companies also need to supply information regarding remedial measures taken to contain and repair any damage caused. It’s important to note this doesn’t mean the commissioner is expecting organisations to shut up shop while they fix a security issue but having a strong business continuity plan with up-to-date back-ups of databases will help to keep operations running without allowing the effects of the attack to spread. There are also strict conditions under which individuals whose information was involved in the breach must be informed.
All this is, of course, a lot to contend with while fighting the fundamental problem that someone has been in a company’s servers and may still be there. This is why GDPR also calls for organisations to conduct a thorough data impact assessment and have clear procedures and lines of authority in place to deal with the fallout from a breach. These documents are incredibly important, and not only for compliance. They help businesses deal with attacks rationally, calmly and correctly.

Ensuring GDPR compliance

To achieve and maintain compliance, it is important that firms are able to show that data protection policies were in place ahead of the breach, and that they were effective in containing and communicating it. The ICO has made it clear that its role is to ensure compliance rather than issue punishment.
There’s no expectation that everyone can be 100% secure all of the time; breaches can, and will, occur no matter what. Not every breach will result in a fine, as long as a business can show compliance with the law. The ICO has a useful guide to what is required for compliance – and taking adequate measures in both preparing and responding to a data breach will help prove to the ICO that everything has been done to protect the information that matters to an organisation.