If 2018 has taught us anything, it’s that data breaches are a matter of when, not if. Industry experts have said this repeatedly – not because they want to sound ominous, but to remind organisations that they need to be prepared.
Everyone is a potential victim, and sometimes you can have all the right defences in place and still be breached. But if you accept the inevitable, there’s a lot you can do to mitigate the damage.
In the past few months, IT Governance has been helping organisations get #BreachReady. In this blog, we show you three ways you can use our advice to reduce the financial effects of a breach, comply with the EU GDPR (General Data Protection Regulation) and ensure your reputation remains intact.
1.Reporting the breach
Under the GDPR, organisations have 72 hours from the time they become aware of a personal data breach to report it to their supervisory authority. They must provide details of how the breach occurred, what data is affected, how many data subjects are involved and what measures they’re taking to respond to the incident.
#BreachReady organisations will know what’s required of them and how they can gather this information. They will also have the contact details of the supervisory authority, meaning they can be confident that the completed notification was sent to the right person.
2. Notifying data subjects
In some circumstances, you will also need to contact people whose data was breached. If you’re #BreachReady, you’ll be able to quickly ascertain whether this is necessary. You’ll also know what to include in your notification.
We usually recommend that organisations tell affected data subjects to change their passwords and to look out for suspicious activity on their accounts. If financial records were affected, you might suggest that data subjects suspend their bank accounts and request new payment cards.
3. The supervisory authority’s investigation
After the supervisory authority is alerted to the incident, it will investigate the breached organisation to assess whether the breach could have been prevented.
If it finds shortcomings in the organisation’s data protection practices, the supervisory authority will request that the organisation makes changes to its data protection practices. If the failings are significant, the supervisory authority might also issue a fine. The maximum penalty is €20 million or 4% of the organisation’s annual global turnover, whichever is greater. However, only egregious or repeat offences will attract fines of anything close to this.
#BreachReady organisations will be confident working with their supervisory authority, as they’ll have nothing to hide. Our advice helps you achieve full compliance with the GDPR, meaning there would be nothing you could have done to prevent the incident.