How to Respond to a Data Breach – A DPO Guide

We asked Certified Data Protection Officer Fiona Kiely to tell us the key things she would recommend that an EU-based organisation do/consider in the event of a Personal Data Breach. Here is what she said.

Data Breach Response – 8 Things to Consider

You’ve discovered there’s been a security incident which could potentially have led to a data breach. Here are eight important things you should consider. Please note that these steps will not necessarily be linear, particularly in the initial response phase.

I appreciate that the first step does not fit in the context of a data breach response. However, having good data protection risk mitigations in place could well prevent you from having a breach in the first place, or reduce the impact of a breach, should one occur. And so, not only do I include it—I’ve also made it number one.

1. Be Prepared

• You should know what personal data is associated with each of your business processes, including where the data is stored, what you do with it, who has access to it, and how it is protected.
  • This information will be recorded in your Register of Processing Activity (RoPA).[1]
  • Your organisation may be exempt from keeping a RoPA; in any case, the information should be readily available.
• Have a robust data security framework in place.
• Have an exercised Breach Response Plan in place.
• Ensure your people have been trained.
  • Crucial to addressing a breach is to be able to recognise one; as is how to respond if you cause, find, or are informed about a potential breach.

2. Act Quickly

• Once you have identified/are notified of a potential breach, escalate it immediately:
  • To the responsible person internally.
  • To the Data Controller, if you are a Data Processor.
• Determine whether a breach has in fact occurred.
• Mobilise your breach response team.
  • Work to contain the incident.

3. Communicate with Relevant ‘Internal’ Stakeholders

• The Data Protection Officer, where designated – for advice, information, and as a point of contact for DPA and data subjects.
• Relevant management team member(s) – ‘process’ owners.
• Third-party processors, where necessary.

4. Establish the Facts

• Conduct a preliminary investigation to assess the situation. What has happened?
  • What assets have been compromised?
  • What data has been compromised?
  • Classify the breach.
    • Has Confidentiality, Integrity, Availability, or a combination of these been compromised?
  • Is personal data involved?
    • If the answer is Yes, the data controller has 72 hours from becoming aware of it to notify the personal data breach to the relevant Data Protection Authority (DPA) if it is considered likely to present any risk to the individuals involved.[2]
    • The European Data Protection Board (EDPB) considers that a data controller should be regarded as having become aware of a breach when it has established with a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.[3]
    • Thanks to the One Stop Shop mechanism, if your breach affects individuals in more than one EU / EEA country, you only need to notify your Lead DPA.
    • If the data breach affects individuals in other countries outside of the EU / EEA, you may well have an obligation to report in one or more of those jurisdictions.

5. Assess the Risks

• Conduct an objective assessment of the impact (likelihood and severity) of the breach on the rights and freedoms of data subjects.

6. Communicate with External Stakeholders

• Notify the Data Protection Authority (DPA).
  • This step is only required if the breach is likely to result in a risk to the rights and freedoms of individuals.
  • Your notification to the DPA may be on a phased basis as you may not have all the information within the 72-hour window.
    • This will be informed by your risk assessment.

• Notify the Data Subjects:
  • This step is not always required, but it must be taken without undue delay if the breach is likely to result in a high risk to the rights and freedoms of individuals.[4]
    • This will be informed by your risk assessment.

7. Document, Document, Document:

• Keep a record of the breach and its effects. Document your investigation, the risk assessment, your communications, and any corrective and preventive actions taken and/or planned. And remember to keep track of decisions made.
  • Do this even if you establish that no notifiable breach has occurred.

8. Fulfil any other Obligations:

• You may well have other legal, medical, or professional notification duties (e.g. under NIS) that need to be conducted in a breach event.
  • Ensure that these are included in your breach response plan. You will have enough to do without having to identify them post-breach.

Responding to a data breach can be a complex affair. As well as the steps I have listed, you should enlist professional advice to help you with understanding the full scope of your obligations and ensuring you remain compliant with all applicable contracts, as well as with laws and regulations both in your home jurisdiction and any others that may be relevant.

[1] Data Protection Commission, Records of Processing Activities (RoPA) under Article 30 GDPR.

[2] EU General Data Protection Regulation, Article 33.1.

[3] European Data Protection Board, Guidelines 9/2022 on personal data breach notification under GDPR, Version 2.0.

[4] EU General Data Protection Regulation, Article 34.1.