A 5-step guide to reporting data breaches under the GDPR

In case you didn’t already know, the GDPR (General Data Protection Regulation) requires Irish organisations to report data breaches to the DPC (Data Protection Commission) within 72 hours of becoming aware of them.  

This doesn’t only refer to cyber criminals breaking into your system. It applies to any kind of data breach – i.e. any time the confidentiality, integrity or availability of information is compromised.  

Failure to disclose an incident could lead to penalties of up to €10 million or 2% of your organisation’s annual global turnover, whichever is higher.  

You can avoid this fate by following our five-step guide for reporting data breaches. 

1.Situational analysis

What you need to tell the DPC:  

  • The type of breach you’re reporting.  
  • The level of risk the breach poses to affected data subjects.  
  • When the breach occurred and how it was detected.  
  • The nature of the breach.  
  • Whether you’ve notified affected individuals.  
  • Whether the breach has been contained.  

The faster you identify a security incident, the sooner you can mitigate the damage and alert those affected. Unfortunately, few organisations have a clear understanding of their state of readiness when it comes to data breach reporting.  

You can address that by implementing an incident response planwhich allows you to prepare for, respond to and follow up on cyber attacks. 

This ensures that you reduce the risk of incidents occurring, while also knowing that incidents are inevitable and knowing what to expect.

2. Assessing the affected data

What you need to tell the DPC:  

  • The types of personal data that were breached (names, addresses, payment card information, etc.).  
  • Whether special categories of data were involved.  
  • How many individuals were affected. 
  • Whether vulnerable individuals were affected. This includes children, people with mental illnesses, asylum seekers, the elderly and data subjects whose relationship with the data controller contains an imbalance of power (employee-employer or tenant-landlord, for example).   

Organisations usually process much more information than they realise, which means a security incident can be a lot more damaging than they first expected.  

You can avoid this problem by mapping the data flows through your organisation. Mapping the data flows within your organisation will give you a full understanding of all the personal data you collect, store or otherwise process, as well as where and how you transfer it. 

To map data effectively, you must understand how it flows from suppliers and sub-suppliers through your organisation and on to customers and clients. 

You must also be able to describe these movements and identify key elements of the data, such as the type of information, the format it’s stored in, the location its kept and the lawful basis for processing.

3. Describing the impact

What you need to tell the DPC:  

  • The potential consequences of the breach for individuals. 

You may also be required to provide a follow-up report that describes: 

  • Any measures you had in place before the breach that aimed to prevent an incident of that nature. 
  • Actions you’ve taken to fix the problem and mitigate any adverse effects. 
  • Steps you’re taking to prevent recurrence, and when you expect to complete these steps. 

You’ll be able to answer these questions if you’ve recently conducted a risk assessment. This process helps you identify and assess relevant threats to your organisation, and establish the potential impact of a data breach on both your business and data subjects. 

Risk assessments also help you implement measures that help manage those risks. More to the point, it ensures that those measures are appropriate to your organisation rather; more serious threats should command more resources and more robust security measures, whereas less serious threats can be deprioritised.

4. Preventive measures and actions taken

What you need to tell the DPC:  

  • Whether staff were made aware of their GDPR compliance responsibilities. 
  • Whether data subjects have been informed about the breach and how it might affect them. 
  • Whether you’ve told, or are planning to tell, other relevant organisations about the breach. 

Data breaches can occur even if organisations have all the right defences in place. That’s the nature of information security; crooks find ways around defences and employees make mistakes that compromise the organisation’s systems.  

In other words, you’re not automatically liable because you’ve been breached. However, you are required to demonstrate that your defence and response measures meet the GDPR’s requirements.  

This is where ISO 27001  helps. The Standard sets out the requirements for a best-practice ISMS (information security management system) – a risk-based approach to corporate security that, unlike the GDPR, contains clear instructions on how to manage information security threats.

5. Oversight

What you need to tell the DPC:  

  • Your organisation’s name.  
  • The details of the person reporting the incident.  

You need to provide a point of contact so that the DPC can communicate with your organisation about investigating the incident.  

This should be your DPO (data protection officer), if you have one. We recommend appointing someone in this role even if you’re not required to under the GDPR.  

If you don’t have a DPO, your point of contact should be whichever employee is responsible for your organisation’s data protection.  

When do you need to report a data breach? 

You don’t need to follow each of these steps for every data breach you experience. It only applies to incidents that “pose a risk to the rights and freedoms of natural living persons”.  

This refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses.  

However, you are required to keep a record of all data breaches, so it’s important to document the answers from steps one and two, even if you don’t send the information to the DPC.  

GDPR training

If you want to learn more about the ways GDPR affects your organisation, you should consider enrolling on our GDPR Foundation Training Course.

This one-day course provides a comprehensive introduction to the GDPR, helping you to get to grips with the Regulation.

The course is available in venues across Europe, as well as in Live Onlinein-house and distance learning formats.


A version of this blog was originally published on 21 March 2019. 

 

4 Comments

  1. Norman Hall 26th March 2019
    • Jessica Belton 27th March 2019
  2. Keith 14th June 2019
    • Jessica Belton 24th July 2019

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.