What is a Data Breach and How do I report it under GDPR?
What is a Data Breach and How Do I Report It Under GDPR?
If you’re a casual observer of data privacy issues, you might assume from news reports that large-scale data breaches are happening every day. While the problem might not be quite that widespread, the concern is very real.
The word “data” covers a lot of territory on the web, so determining what constitutes a data breach can be a little tricky. The European Union’s General Data Protection defines personal data breach as: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
With that in mind, we can reasonably define a data breach as a security incident in which information is accessed without authorization. The public image of data breaches tends to involve malicious hackers prowling the internet for sensitive information. That is sometimes the case, but breaches are just as likely to be the result of human error or internal mishandling. The aforementioned UK breach, for instance, was the work of hackers out for personal banking information, while more than half of the Australian cases were traced back to organizational mistakes. Whatever the cause, these breaches put consumers at risk and violate the trust between an organization and its users.
Reporting Data Breaches
While the GDPR leaves the meaning of data breaches fairly broad, it’s much more specific about how to handle them. Article 33 of the GDPR is titled “Notification of a personal data breach to the supervisory authority,” and it lays out the proper data breach procedure in no uncertain terms. Data controllers must report any breach to the proper supervisory authority within 72 hours of becoming aware of it. If the breach is discovered by a data processor, the data controller should be notified without undue delay.
The notification to the supervisory authority must include several specific pieces of information, including:
The nature and scope of the data breach, including when possible categories of data, number of data subjects, and number of personal data records involved
Contact information for the organization’s data protection officer or other contact point
Potential consequences of the breach
What the controller intends to do to address the breach and limit the threat to data subjects
Organizations that fail to report a data breach in the allotted 72-hour time frame do have a chance to explain reasons for the delay, but may still face fines and penalties.
Developing a Data Breach Response Plan
If there’s one thing the past decade of data protection history has taught us, it’s that no organization is safe from data breaches. Even if you feel confident in your company’s security, it pays to be proactive by having a data breach response plan in place before it becomes an issue. The specifics of your response plan will vary according to the needs of your organization, of course, but the Office of the Australian Information Commissioner has compiled a useful checklist that serves as a solid guideline for most. Be sure that your response plan includes:
Your organization’s definition of a data breach and how your employees can identify one
Clearly defined procedures and a chain of command for reporting a data breach
The roles and responsibilities of each member of your data breach response team
Plans for handling various kinds of data breaches with various levels of risk involved
Ideas for assessing the success or failure of your mitigation efforts
Plans for notifying affected data subjects, law enforcement, and supervisory authorities about the breach
Full documentation and record-keeping processes
Lists of your post-breach obligations under insurance policies, service agreements, and any other third-party contracts
Plans to investigate, identify, and eliminate any security or procedural lapses that led to the data breach
Regularly scheduled tests and reviews of your data breach response plan
Obviously, there’s a good deal of work involved with getting your organization prepared to deal with a data breach, but it’s all work that’s well worth doing. It may help to think of data breaches as a “not if, but when” situation. By taking preventative measures while also assembling a detailed plan for dealing with the aftermath of a data emergency, you can help minimize the potential impact on both your users and your organization.
Have you automated your GDPR web compliance process? Siteimprove Data Privacy locates the personal data you handle online so you can pinpoint and remove that data across your websites, minimizing the risk of fines and other legal consequences.