A 5-step guide to reporting data breaches under the GDPR

In case you didn’t already know, the GDPR (General Data Protection Regulation) requires Irish organisations to report data breaches to the DPC (Data Protection Commission) within 72 hours of becoming aware of them. 

This doesn’t only refer to cyber criminals breaking into your system. It applies to any kind of data breach – i.e. any time the confidentiality, integrity or availability of information is compromised. 

Failure to disclose an incident could lead to penalties of up to €10 million or 2% of your organisation’s annual global turnover, whichever is higher. 

You can avoid this fate by following our five-step guide for reporting data breaches. 

1. Situational analysis 

What you need to tell the DPC: 

  • The type of breach you’re reporting. 
  • The level of risk the breach poses to affected data subjects. 
  • When the breach occurred and how it was detected. 
  • The nature of the breach. 
  • Whether you’ve notified affected individuals. 
  • Whether the breach has been contained. 

 
The faster you identify a security incident, the sooner you can mitigate the damage and alert those affected. Unfortunately, few organisations have a clear understanding of their state of readiness when it comes to data breach reporting. 

You can address that by implementing an incident response plan, which lays out a framework that can help streamline the response process. 

2. Assessing the affected data 

What you need to tell the DPC: 

  • The types of personal data that were breached (names, addresses, payment card information, etc.). 
  • Whether special categories of data were involved. 
  • How many individuals were affected. 
  • Whether vulnerable individuals were affected. This includes children, people with mental illnesses, asylum seekers, the elderly and data subjects whose relationship with the data controller contains an imbalance of power (employee-employer or tenant-landlord, for example).  

 
Organisations usually process much more information than they realise, which means a security incident can be a lot more damaging than they first expected. 

You can avoid this problem by gaining a clear picture of the data you process. This is itself a requirement of the GDPR (Article 30 states you must maintain written records of processing activities), but it will also help you meet your data breach response requirements. 

3. Describing the impact 

What you need to tell the DPC: 

  • The potential consequences of the breach for individuals. 

 
You’ll be able to answer this if you’ve recently conducted a risk assessment. This helps you identify and prioritise the biggest threats to your organisation and how they will affect your operations. 

Once the threat becomes a reality, you already have a solid understanding of the incident’s consequences. 

4. Preventive measures and actions taken 

What you need to tell the DPC: 

  • The technical/organisational measures that were in place before the breach. 
  • The measures you’ve taken or plan to take to address the breach. 
  • Whether mitigating measures have been implemented. 
  • Whether you’ve secured/retrieved the breached personal data. 

 
Data breaches can occur even if organisations have all the right defences in place. That’s the nature of information security; crooks find ways around defences and employees make mistakes that compromise the organisation’s systems. 

In other words, you’re not automatically liable because you’ve been breached. However, you are required to demonstrate that your defence and response measures meet the GDPR’s requirements. 

This is where ISO 27001 compliance helps. Organisations that meet the Standard’s requirements can be confident that they’ve adopted a best-practice approach to information security. 

5. Oversight 

What you need to tell the DPC: 

  • Your organisation’s name. 
  • The details of the person reporting the incident. 

 
You need to provide a point of contact so that the DPC can communicate with your organisation about investigating the incident. 

This should be your DPO (data protection officer), if you have one. We recommend appointing someone in this role even if you’re not required to under the GDPR. 

If you don’t have a DPO, your point of contact should be whichever employee is responsible for your organisation’s data protection. 

When do you need to report a data breach? 

You don’t need to follow each of these steps for every data breach you experience. It only applies to incidents that “pose a risk to the rights and freedoms of natural living persons”. 

This refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses. 

However, you are required to keep a record of all data breaches, so it’s important to document the answers from steps one and two, even if you don’t send the information to the DPC. 

Are you prepared for when disaster strikes? 

You can discover more tips for responding to cyber security incidents by downloading The data breach survival guide. 

This free download provides more detail on each of the steps listed here, and essential advice on how to reduce the risk of information security incidents. 

Download now >>>

2 Comments

  1. Norman Hall 26th March 2019
    • Jessica Belton 27th March 2019

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.