From Facebook to British Airways, recent headlines have been dominated by a wave of high-profile digital disasters. Your data breach reporting obligations With the General Data Protection Regulation (GDPR) enforced in May 2018, the financial and reputational damage inflicted by a breach can spell disaster for organisations of all sizes and sectors. Under the GDPR, data controllers determine the purpose and means of the processing, while data processors are responsible for processing personal data on their behalf. Processors must notify the data controllers “without undue delay” after becoming aware of them. Ponemon Institute’s 2018 Cost of a Data Breach Study found that the average cost of a data breach globally is $3.86 million (about €3.34 million), a 6.4% increase from the 2017 report. Data breaches are becoming more severe, yet many organisations still assume they will never suffer one. Since you began reading this guide, 2,916 data records have been lost or stolen worldwide: according to Gemalto’s Breach Level Index, 6,990,429 data records are compromised every day. That’s 291,268 every hour, 4,854 every minute and 81 every second. And with the cyber threat landscape only set to grow in 2019, organisations should adopt a ‘when not if’ mentality if they are to protect themselves. The solution? #GetBreachReady For a higher level of information security, you should turn to the international standard for information security management, ISO/IEC 27001:2013 (ISO 27001), as many thousands of organisations already have. And if you are a data controller, you must notify your supervisory authority without undue delay when you become aware of a breach that is likely to result in a risk to data subjects’ rights and freedoms. Where feasible, this must be done within 72 hours. Failure to do so will leave you facing administrative fines of up to €10 million or 2% of global annual turnover, whichever is greater. Data controllers must also notify data subjects without undue delay if there is a high risk to their rights and freedoms. (If the data is anonymised or encrypted to the extent that it is no longer possible to identify data subjects, there is no risk.) Five steps for reporting a personal data breach to the supervisory authorities Get in touch with your supervisory authority to know to best process to follow to notify them. You will need to provide as much information as you can about the incident, based on the following five steps. SITUATIONAL ANALYSIS Potential questions your supervisory authority might ask : What happened? Was the breach caused by a cyber incident? • When and how did you find out about the breach? • When did the breach happen? • • The speed at which you identify and mitigate data breaches makes a significant difference in controlling your risks, costs and exposure. Few organisations really understand their state of readiness to respond to an incident. Incident response management helps you prepare for any event, enabling you to quickly respond and minimise business disruption. It allows you to detect incidents at an earlier stage, reduce the risk of future incidents occurring and develop robust defences against attacks. In particular, a robust and properly documented incident response procedure will help your organisation: Prepare | by assessing what risks you face, and put appropriate measures in place to mitigate them; Respond | by identifying potential incidents and taking appropriate action, including recovering your systems, data and connectivity; and Follow up | by carrying out a post-incident review to thoroughly investigate what happened and update your controls and processes based on what you learn. Find out more ASSESSING THE AFFECTED DATA Potential questions your supervisory authority might ask : Categories of personal data breached Number of personal data records concerned • Number of data subjects affected • • Article 30 of the GDPR requires most data controllers and processors to maintain written records of their processing activities, which must be made available to the supervisory authority on request. The majority of organisations process much more personal data than they realise. Mapping the data flows within your organisation will give you a full understanding of all the personal data you collect, store or otherwise process, as well as where and how you transfer it. To map your data effectively, you must: Understand how it flows, from suppliers and sub-suppliers through to customers, whether inside or outside the EU; Describe how it flows through the organisation, covering each interaction point and all steps in each process; and Identify key elements, such as the type of personal data being processed, the format(s) in which it is stored, how and to whom it is transferred, locations and accessibility, the lawful basis for processing under the GDPR and who is accountable for it at all times. Find out more DESCRIBING THE IMPACT: POTENTIAL CONSEQUENCES Potential questions your supervisory authority might ask : Potential consequences of the breach: the possible impact on data subjects as a result of the breach, including whether there may be any actual harm to data. • Any measures you had in place before the breach that aimed to prevent a breach of that nature (follow-up reports only). • Actions you have taken to fix the problem and to mitigate any adverse effects (follow-up reports only). • Steps you are taking to prevent recurrence, and when you expect these will be completed. • Few organisations really understand their state of readiness to respond to an incident. A comprehensive risk assessment will help you identify and assess the risks that are relevant to your organisation and environment, and establish the potential impact of a data breach on both your business and data subjects. It will also help you implement suitable measures for treating and managing those risks. It will also help you implement suitable measures that will help you treat and manage those risks. Moreover, using a risk-based approach means the security controls you implement will be based on the risks you actually face, so you will not waste time, effort or expense attempting to protect your information from threats that are unlikely to occur or will have little material effect on your business. By following a proven risk assessment process and framework, you will be able to not only identify and assess the various risks you face but also establish the potential impact of those risks on the confidentiality, integrity and availability of data you hold – as required by the GDPR. If you want to be extra prepared, you should also conduct a business impact analysis (BIA) to identify your key business processes and determine how quickly, in what order and what resources you need to restore them to minimum – and, at a later stage, full – functionality in the event of a disruption. BIAs are an essential part of business continuity management. Find out more PREVENTIVE MEASURES AND TAKING ACTION Potential questions your supervisory authority might ask : Whether staff were made aware of their security responsibilities under the GDPR. Whether data subjects have been informed about the breach and how it may affect them. • Whether you have told, or are planning to tell, any other organisations about the breach. • • Many organisations don’t really understand the ways in which they and the data they process are at risk, and think data breaches are only caused by cyber incidents. However, many cyber attacks rely on human error to get a foothold in your systems, e.g. by using drive-by downloads or phishing campaigns to get unsuspecting users to download malware, or taking advantage of users’ poor password practices. Regular staff awareness training will help embed effective practices throughout the organisation and reduce your risk of attack. As well as providing staff with training on the GDPR and their data protection responsibilities, aligning your information security programme with best practice will help you prevent most common breaches. In fact, all organisations require technical controls that are, supported by robust policies and procedures, and driven and managed by appropriately trained staff. To this end, you should turn to the international standard for information security management, ISO27001, as many thousands of organisations already have. ISO 27001 sets out the requirements for a best-practice Information security management system (ISMS) – a risk-based approach to corporate security against which you can also achieve independently audited certification. The standard prescribes the appropriate policies and procedures which include incident response management that will help you prepare for complying with personal data breach reporting under the GDPR. Whether you want to achieve certification to ISO 27001 or simply use its guidance to implement information security best practice, the Standard provides a set of information security controls that can help you meet the threshold of “appropriate technical and organisational measures” and meet your legal and contractual requirements for data protection, including the GDPR. We also recommend that you conduct regular penetration tests to determine the vulnerabilities in your system and networks so that you can address them before cyber criminals find and exploit them. It is also important to establish a data breach response plan that details how to address incidents when they occur, and make sure you have sufficient resources and clear processes for responding to a breach. This also relates to having a functioning incident response plan, as covered in the first step. Find out more How IT Governance can help IT Governance’s wide range of data breach solutions can help you at any stage of the process, from incident response management to data breach reporting. We have an in-depth understanding of the GDPR’s requirements and how to best meet them. OVERSIGHT Potential questions your supervisory authority might ask : • • Your organisation’s details. Contact details of your data protection officer (DPO) or senior person responsible for data protection in your organisation Under the GDPR, certain organisations must appoint a DPO, a role whose position and tasks are defined in Articles 38 and 39 of the Regulation. The function does not have to be in-house: you can also outsource the role. Even if you are under no obligation to appoint a DPO, it is often worth assigning overall data protection responsibility to one person, even if they don’t carry the official DPO title. (Note that a “DPO” has the same legal status whether the appointment is mandatory or voluntary.) Find out more We provide a complete compliance support service to help organisations prepare for and adapt to the GDPR. Our specialist team has extensive data protection and information security management project expertise, both in the UK and internationally. We offer a total compliance solution consisting of books, toolkits, software, consultancy, penetration testing, training and audits. We are a leading provider of ISO 27001 ISMS implementations and our management team led the world’s first successful ISO 27001 implementation project. Our vast technical expertise, combined with extensive experience implementing frameworks and standards across a broad range of industries and countries, means we are unrivalled in our depth and breadth of services. We work with your organisation to tailor services that meet your budget and business objectives. ARE YOU ON TRACK WITH YOUR #BREACHREADY PROJECT To help you on your journey, IT Governance offers a wide range of data breach solutions. Do not fall victim to attack, and never forget that prevention is better than cure – get #BreachReady today. GDPR Toolkit GDPR Foundation Training Course DPO as a service Data Flow Mapping Tool ISO 27001 Controls ISO 27001 Toolkit ISO 27001 Foundation course ISO 27001 Basic Package Don’t fall victim to attack, prevention is better than cure get #BreachReady today. IT Governance Europe Ltd Third Floor, Boyne Tower, Bull Ring, Lagavooren, Drogheda Co. Louth., A92 F682 Ireland. /ITGovernanceEU t: 00 800 48 484 484 e: servicecentre@itgovernance.eu w: www.itgovernance.eu /ITGovernanceEU /ITGovernanceEU
