A data breach can lead to reputational damage, financial losses and much more. By effectively preventing and investigating data breaches in a timely manner, you can limit the damage to your organisation, and to the data subjects involved.
Here are 8 things to consider when dealing with a Data Breach:
Please note, the steps below are not necessarily linear, particularly in the initial response phase.
- Be Prepared
- Know what data you have, where it is, what you do with it, who has access to it, and how it is protected.
- Register of Processing Activity (RoPA) – DPC, Records of Processing Activities (RoPA) under Article 30 GDPR.
- Have a response plan in place.
- Train personnel.
- Crucial to addressing a breach is to be able to recognise one. As is how to respond if you cause, find, or are informed about a potential breach.
A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed” (GDPR, A.4.12).
- Act Quickly!
- Once you have identified / been notified of a potential breach, escalate immediately:
- To the responsible person internally.
- To the Data Controller, if you are a Processor.
- Mobilise your breach response team.
- Determine whether a breach has in fact occurred.
- Work to contain the incident.
- Communicate with Relevant ‘Internal’ Stakeholders:
- The Data Protection Officer, where designated
- For advice, information, and as a point of contact for DPA and data subjects.
- Relevant management team member(s) – ‘process’ owners.
- Third party processors, where necessary.
- Establish the Facts
- Preliminary investigation – assess the situation. What has happened?
- What assets have been compromised?
- What data has been compromised?
- Classify the breach
- Is it Confidentiality, Integrity, Availability, or some combination of these?
- Is personal data involved?
- The Data Controller has 72 hours from becoming aware of a breach to notify the relevant Data Protection Authority (DPA) (GDPR A.33.1).
- The European Data Protection Board (EDPB) considers that a data controller should be regarded as having become “aware” of a breach when it has established with “a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised”. EDPB Guidelines 9/2022 on personal data breach notification under GDPR, Version 2.0.
- Assess the Risks
- Carry out an objective assessment of the impact (likelihood and severity) of the breach on the rights and freedoms of data subjects.
- Communicate with External Stakeholders
- Notify the DPA
- Only required if the breach is likely to result in a risk to the rights and freedoms of individuals (GDPR A.33.1).
- This will be informed by your risk assessment.
- If your breach affects individuals in more than one EU / EEA country, you only need to notify your Lead DPA.
- Your notification to the DPA may be on a phased basis as you may not have all of the information within the 72 hour window.
- Only required if the breach is likely to result in a risk to the rights and freedoms of individuals (GDPR A.33.1).
- Notify the Data Subjects:
- Not always required but must be done “without undue delay” if the breach “is likely to result in a high risk to the rights and freedoms of natural persons (GDPR A.34.1).
- This will be informed by your risk assessment.
- Not always required but must be done “without undue delay” if the breach “is likely to result in a high risk to the rights and freedoms of natural persons (GDPR A.34.1).
- Document, document, document:
- Keep a record of the breach, its effects, your investigation, any corrective and preventive actions, and decisions made (GDPR A.33.5).
- Do this even if it is established that no notifiable breach has occurred.
- Fulfil any other Obligations
- You may have breach notification obligations beyond the GDPR.
- Legal, Insurance, Professional, etc.
Recent News
CalQRisk Shortlisted as Best Technology Partner in Housing Digital Innovation Awards
CalQRisk has been named a finalist in the Housing Digital Digital Innovation awards. CalQRisk is nominated as best ...
Read More CalQRisk Achieves G-Cloud 14 Approved Supplier Status
Delighted to confirm that following on from our GCloud 13 supplier status, that CalQRisk has been listed as ...
Read More CalQRisk named as Finalist for Cyber Security Provider of the Year at the Cyber Insurance Awards Europe
CalQRisk are thrilled to be finalists for the Cyber Security Solution Provider of the Year at the Cyber ...
Read More Volunteer Succession Planning – ‘Tomorrow’ has arrived.
Strong succession planning is critical for the viability of all businesses but can be particularly challenging for volunteer-led ...
Read More What is CSRD?
The Corporate Sustainability Reporting Directive (CSRD) is a framework for non-financial reporting which is mandatory for large companies ...
Read More CalQRisk Triumphs at the 2024 FS Awards, Winning Compliance and RegTech Award
At a distinguished ceremony held at the iconic Mansion House, CalQRisk emerged as the proud recipient of the ...
Read More NoFrixion Selects CalQRisk for its DORA Compliance Efforts
NoFrixion, the Embedded Banking company based in Dublin, Ireland, has announced its partnership with CalQRisk to ensure compliance ...
Read More CalQRisk is a finalist in the FS Awards
CalQRisk has been named as a finalist in the competitive and prestigious FS Awards for the Compliance and ...
Read More CalQRisk Customer Support Manager wins Rising Star at Irish Early Career Awards 2024
Congratulations to our Customer Support Manager, Eimear Farrell, who was named as a Rising Star in the Fintech ...
Read More CalQRisk wins Pitch Competition at ESCO Cyber Solution Days Event, Kilkenny, September 2024
The Cyber Ireland (CI) CISO Forum and ESCO Cyber Solution Days event took place in the Lyrath Hotel, ...
Read More