GDPR – Immediate Actions after a Breach of Security
Jul 11, 2018
The GDPR requires organizations within its scope to protect personal information of data subjects within their control with appropriate security measures (Article 32(1)). Under Article 4(b), organizations need to be able to demonstrate processes around the security, availability, recovery and testing of their IT systems which encompasses disaster recovery. Failure to comply with GDPR may result in the greater of either 4% of turnover or 20 million Euro. Despite appropriate safeguards, accidents and unlawful access can happen. What should an organization do if personal information has been unduly accessed? This article focuses on key points that should be in any contingency plan for complying with GDPR standards.
1. Report to the supervisory authority within 72 hours (Article 33)
Each participating country has an official supervisory authority which monitors the compliance of GDPR. For organizations that are located outside of the EU, they should have a Data Protection Representative in the country most connected to their data subjects. It is recommended for non-EU organizations to also report to their national supervisory authority. In Japan, the organization is the Personal Information Protection Commission(日本の個人情報保護委員会).
The report, referred to as a Data Breach Response Plan must contain answers to the following questions:
- ・What types of data were leaked?
- ・How many information subjects does the leak involve?
- ・What are the consequences to those subjects?
- ・What has been done to ensure that this does not happen again?
- ・If the organization misses the 72 hour deadline, a valid reason to explain the delay.
2. Inform data subjects about the incident and highlight the potential risks
The notice should explain the nature of the breach and suggest ways to mitigate potential damage. For example, if credit card information has been stolen, recommending the data subject to check the card records and deactivate the card would be deemed appropriate.
3. Prevent the incident from happening again
Immediately change all passwords and create a fresh back up of data. Identify the weakness in the organization’s security and defend further access. Work with IT professionals to fix or update the system. Organizations should review the incident detection mechanism in place and consider engaging a Managed Security Service Provider (MSSP) if the organization is ill-equipped to detect security risks and respond to problems in a timely and accurate manner.
Why Prevention is Important
Organizations should note that many mechanisms and procedure are necessary in order to fulfill reporting requirements in the event of a security breach. Particular care should be given to the following mechanisms:
- ・Data inventory
- ・Incident detection
- ・Contingency Policy and Plan
- ・Communication Plan with both internal and external parties
- ・Dedicated response team
- ・Protect by using encryption, pseudonymization and backups.
- ・Reduce risks by deleting personal information that is no longer necessary or relevant.
- ・Limit and monitor internal access to reduce insider threats.
- ・Training and testing preventative measures
To learn more about how to be GDPR compliant, please refer to our other articles which include a To-Do List for organizations. Unfortunately, there is no one-size-fits-all when it comes to data protection as the nature of the organization, size, internal structure and quantity of data can vary significantly. However, we welcome organizations to contact us to discuss how to develop a tailored plan.