TenInsight
Our Ten Point Guide for preparing and responding for a data breach incident:
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. Senior Compliance Executive, Heba Mostafa reports.
Examples of personal data breaches provided by the Information Commissioner’s Office (“ICO”) can include:
- access by an unauthorised third party
- deliberate or accidental action (or inaction) by a controller or processor
- sending personal data to an incorrect recipient
- e-devices containing personal data being lost or stolen
- alteration of personal data without permission; and
- loss of availability of personal data.
In the event of a data breach, GDPR gives regulatory bodies (the ICO in the UK’s case) the right to fine organisations four percent of their annual global turnover, or €20m, whichever is the greatest.
A key point is that any organisation should test various scenarios periodically to ensure that the response is rehearsed and roles are known.
- Responsibilities should be defined to key individuals (the response team) along with contact details. The response team may include the head of IT, information security, head of corporate communications and senior executives.
- The internal escalation process for incident responses should be documented and tested periodically. It may be that other bodies need to be notified depending on the industry in which the organisation operates.
- Robust breach detection, investigation and internal reporting procedures should be in place. This will facilitate decision-making about whether or not the organisation needs to notify the relevant supervisory authority and the affected individuals.
- You need to run incident risk assessment to decide if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. For example, if the data is encrypted and there is no way any personal information can be picked up from it, you do not need to let the ICO know. It’s worth noting though that the ICO recommends that if it is decided you don’t need to report it, you need to be able to justify the decision, and so you should document it.
- If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedom; you need to notify the ICO (or the supervisory authority in your jurisdiction if outside the UK) without what is termed “undue delay”. This means that, from the time that you become aware of the data breach, you have a maximum of 72 hours to report it, and really should do so as soon as you know about it.
- Working on the basis that the worst happens and reporting to the ICO is necessary. You will need to provide them with as much of the following information as possible:
- The categories and approximate number of individuals and personal data records involved
- The name and contact details of the data protection officer (if you have one) or another contact point where they can get more information
- A description of the likely consequences of the personal data breach
- A description of the measures taken, or you plan to take, to deal with the breach, including any measures taken to alleviate the effects
- In the case of a severe data breach, you will also need to inform anybody whose data has been caught up in the breach “without undue delay”. When communicating with these individuals, you will need to let them know:
- The name and contact details of your data protection officer (as above, if you don’t have one, a contact where information can be requested)
- A description of the likely consequences of the breach
- A description of the measures taken, or you plan to take, to deal with the breach, including any measures taken to alleviate the effects
- Work to prevent any further breach and stop the current breach (if it’s ongoing) and mitigate the damage that the breach, and any leaked data, can cause.
- Giving instructions to isolate the affected systems and devices. These may be needed for any subsequent investigation. Bear in mind that closing down or isolating a system could have a huge impact on the organisation
- A record of any personal data breaches must be kept, regardless of whether you are required to notify.
How are personal data breaches discovered?
Data breaches are often discovered through several different channels, such as:
- Automated system monitoring – detecting a potential data breach; this is usually reviewed manually prior to action being taken.
- Whistleblowing facilities for groups such as staff, customers, and suppliers to report concerns anonymously.
- End users may report breaches to the IT helpdesk, however be aware that issues reported in this way may not be logged as breaches. To report incidents, staff need to be aware of the process.
- Data published by hackers, or when members of the public find IT equipment and report it to news outlets.
- When an incident comes to light, the actual report of the breach itself may contain sensitive and/or personal data which should be subject to the organisation’s information classification policy and protected appropriately.
TenIntelligence can help support organisations with investigating a data breach:
- Advise on developing procedures to effectively detect, report and investigate a personal data breach or incident. Under GDPR, failure to report a breach could result in a fine.
- As an appointed DPO, act as the incident responder working with those identified within the Breach & Incident Response Plan.
- Develop a communication plan for internal and external messaging to clients and staff.
- Design and develop a Breach & Incident Response Plan.
- Support the regular testing regime of breach and incident response including specific development of bespoke desktop and play book exercises to test decision-making procedures.
- Provide support to the appointed nominated DPO or business lead in the incident response critical hours.
- Conduct specific Data Flow assessments providing Gap Analysis to identify control weakness, strengths and areas for development
What are the 6 most commonly discussed data privacy regulations and how do they affect the way the world approaches data governance?
The EU and UK:
General Data Protection Regulation (“GDPR”)
EU law on data protection and privacy in the European Union and the European Economic Area.
The USA:
California Consumer Privacy Act (“CCPA”)
State statute intended to enhance privacy rights and consumer protection for residents of California, United States.
Health Insurance Portability and Accountability Act (“HIPAA”)
Stipulate how personally identifiable information maintained by the healthcare and healthcare insurance industries in United States.
In Brazil:
Lei Geral de Proteção de Dados Pessoais (“LGPD”)
Applies to any business or organisation that processes the personal data of people in Brazil.
In Canada:
Personal Information Protection and Electronic Documents Act (“PIPEDA”)
Governs how organisations collect, use and disclose personal information in the course of commercial business in Canada.
In Dubai, UAE:
Data Protection Law (“DPL”)
Gives individuals control over their personal data and protects against its misuse in both public and private sectors in the Dubai International Financial Centre (DIFC).