By Dan May, Commercial Director, ramsac
In the new era of cybercrime, identifying the proper sanctions and reactions for any business can seem challenging, if not confusing. When it comes to data protection and operational compliance in the digital world, authorities like the Information Commissioners Office, or ICO, have identified a sense of confusion surrounding incident management, which includes the whole process itself.
The Information Commissioners Office recently revealed that nearly a third of the 500 reports of data breaches it receives weekly are unnecessary or fail to meet the minimum threshold of a GDPR personal data breach. As many operations attempt to anticipate GDPR (or compliance with the General Data Protection Regulation), there remains an unfortunate atmosphere of confusion, or misunderstanding, when it comes to appropriate incident management under data protection regulation. Operations seem to struggle with the types of incidents or breaches that should be officially reported under GDPR.
It is understood that ‘over-reporting’ is the most common reaction to perceived breaches. Whilst this is largely motivated by a desire for operational transparency and good compliance practice, clearing up misconceptions surrounding GDPR and data breaches can help businesses remain competitive by avoiding risky or costly penalties.
Identifying personal data breaches
Over reporting is not a strategy as much as it is a scattered reaction to a data breach. Under GDPR compliance, which is far-reaching across European territories and beyond, there is a new urgency to officially report compromises that might upset data protection within your organisation. It is also considerably more important than a mere courtesy to your employees, but an attempt to strictly regulate the collection, movement, and storage of personal information, which is why it is most often a challenge to companies with access to larger amounts of data.
Defined under the General Data Protection Regulation, a personal breach can be understood as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (captured in Article 4, definition 12).
Importantly, not all ‘breaches’ are equal in severity and, therefore, not every incident needs to be officially captured and reported. Any compromise that falls outside of the definition, according to GDPR compliance, or where the severity is limited, then action isn’t necessarily required. The goal for businesses should be clarifying whether action is officially required or not. But how does this look in everyday practice?
It is always advisable to evaluate incidents and cases individually, determining the next actions based on the severity of each breach. Some breaches may affect or inconvenience the role of a single employee, whereas other, larger compromises can impact the emotional, physical, or financial lives of many.
Any business that suffers a breach should plan to formally document what happened and any next actions, including whether it was reported or if it failed to meet the criteria. This can help businesses in the scenario that a decision is challenged.
How soon should a breach be reported?
All businesses are responsible for identifying, and responding to, breaches under data protection. Not only should businesses aim to have the right controls in place to promptly detect a breach, but they should report any compromises within 72 hours to the supervisory authority (which is summarised in Article 33). One of the most common misconceptions about compliance with GDPR is that this mandatory reporting period accounts for 72 “working” hours – whereas, a breach should be captured within 72 hours from the moment of discovery.
Where employees or the public might be involved by unauthorised data breaches, those affected should be appropriately notified. In certain scenarios, a business may even need to release a press statement. This will allow those affected parties an opportunity to take precautions and guard themselves from any fallout.
What needs to be officially reported?
Compliance requires expertise. And failures, delays, or inaccuracies when businesses respond to the ICO’s request for information is increasingly common. Preparing for incident management within your organisation means understanding your responsibilities when a breach is detected and how it needs to be managed – including documenting actions.
Refer to the ICO’s data breach reporting assessment for the kinds of information required following a breach and the depth expected from your investigation. The ICO expects every business to demonstrate the depth and breadth of their investigation by responding to everything from breach discovery to management of its effects.
Failure to respond properly to data breaches, under the GDPR, can result in heavy fines and penalties. The role of data protection cannot be underestimated, both in how your company plans to prevent breaches and how it will manage any future ones. Compliance with GDPR, even though commonly misunderstood, can define how your operation does business in the markets under data protection governance.
About the Author
Dan May is the Commercial Director at ramsac, providing secure, resilient IT management, cybersecurity, 24-hour support, and IT strategy to growing businesses in London and the South East.