Documenting your GDPR compliance can be tough, but a little guidance and access to documentation templates can make things much easier.
The documentation process is one of the most important parts of GDPR (General Data Protection Regulation) compliance. What you write dictates the way you approach security and privacy, and any mistakes will set you up for failure when those documents are called upon.
Our focus in this blog is organisations’ data breach notification procedure. The GDPR stresses that there is plenty you can do after a security incident has occurred to mitigate the damage and restore any reputational damage that the breach might cause, so it’s vital that appropriate guidelines are in place.
What is a personal data breach?
A data breach is any event in which the confidentiality, integrity and availability of information is compromised. Data doesn’t only need to be stolen to be breached; it might also have been lost, altered, corrupted or accidentally disclosed.
Data breaches can happen to any kind of information, but the GDPR is concerned only with personal data. The Regulation defines this as “any information relating to an identified or identifiable natural person”. In other words, any information that is clearly about a particular person.
This might be someone’s name, ID number, online identifier, etc., or a combination of details that can be pieced together to establish somebody’s identity.
When do you need to report breaches?
Personal data breaches that “pose a risk to the rights and freedoms of natural living persons” need to be reported to the DPC (Data Protection Commission).
This refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses.
A clear-cut example of this would be a cyber attack in which individuals’ names, email addresses and/or physical addresses are compromised. With access to this information, a crook could attempt identity fraud or conduct a more personalised attack, like a phishing scam.
Another example would be a compromise that affects an individuals’ privacy. This would be the case when, say, an organisation accidentally shares someone’s medical status, political affiliations or other fact that they may not want publicly known.
By contrast, an incident that’s simply inconvenient, like the loss of anonymised or pseudonymous data, would not need to be reported.
Whether you are required to notify or not, the GDPR mandates that you keep a record of all personal data breaches.
This make the response process a little simpler, as your initial response will be the same regardless of whether the breach needs to be reported.
How long do you have to report a breach?
Organisations must report a breach within 72 hours of discovery.
The GDPR acknowledges that it will be hard to produce the necessary information within this timeframe, so you aren’t expected to provide comprehensive details. However, there are set guidelines on what you should work towards in that time, which we explain below.
What should a data breach notification include?
When reporting a breach, you need to provide the following information:
- Situational analysis: Provide as much context as possible, including the initial damage (what happened), how it affected your organisation (what went wrong) and what caused it (how it happened).
- Assessment of affected data: Ascertain the categories of personal data and the number of records concerned.
- Description of the impact: Describe the consequences of the breach for affected parties. This will depend on the information that was compromised.
- Report on staff training and awareness: If the breach was a result of human error, did the employee(s) involved receive data protection training in the past two years? Provide details of your staff awareness training programme.
- Preventive measures and actions: What measures did you have in place before the breach to prevent incidents like this from occurring? What steps have you taken, or plan to take, to mitigate the damage?
- Oversight: Provide the contact details of your DPO (data protection officer) or the person responsible for data protection.
How to prepare for a data breach
Organisations can do a lot of the work involved in data breach response in advance by documenting their plan of action. This explains how each step will be completed and who is responsible for each action, as well as contact details for those who need to be notified.
Here’s an example of what that document might look like:
This is an extract from our GDPR Toolkit, which sets out the scope of the procedure, responsibilities and the steps that the organisation must take to notify everybody involved, including the data controller, supervisory authority and data subjects.
- A complete set of easy-to-use and customisable documentation templates (including a personal data breach notification procedure) that will save you time and money;
- Helpful dashboards and project tools to ensure complete GDPR coverage;
- Guidance from expert GDPR practitioners; and
- Two licences for our GDPR Staff Awareness E-learning Course.
A version of this blog was originally published on 5 November 2018.