Managing personal data breaches – a new approach?
Locations
Responding to data breach incidents is a labour and time-intensive process that can prove highly distracting for organisations. Can the approach to managing data breaches be improved?
What are the EU and UK data breach notification requirements?
Under the EU's General Data Protection Regulation (GDPR) and the UK GDPR, data controllers must notify personal data breaches to the relevant data protection regulators.
If the breach represents a high risk to data subjects, data controllers need to notify those data subjects as well.
Processors of personal data also have obligations to notify their data controllers and provide certain mandatory information about any incidents, so the controllers can take the necessary steps.
Under the GDPR and UK GDPR, data controllers have a 72-hour window, starting at the point the data controller becomes aware of a breach, in which to assess its severity and decide whether notifications are necessary. Other jurisdictions may impose even shorter time limits.
The key decisions data controllers need to make when assessing an incident include:
- Has there been a personal data breach?
- What data is involved?
- What individuals are affected?
- Which parts of the business/companies within a group have been compromised?
- What locations are affected?
- Who needs to be notified?
In practice, this means organisations need to be highly efficient and effective at gathering all the known facts around an incident and to be able to quickly assess them to decide on the next steps.
Where in the organisation does the data breach information come from?
The knowledge needed to make the assessment may come from different people across different parts of the organisation.
In most cases, organisations rely on sending Word document or Excel spreadsheet forms to multiple people in the business, before asking their in-house legal or risk teams, or external lawyers, to collate and assess the information.
This is often a time-consuming, messy process relying on duplicated manual data entry. And because data breaches are live incidents, facts tend to change rapidly, and key new information is frequently missed.
What happens if an organisation is slow to gather facts?
Failing to gather and assess facts quickly usually results in late notifications to the regulator, or in some cases in no notification being made at all.
In these circumstances, the organisation will have to explain to the regulator why it is making a late notification, or why it failed to notify.
Organisations in this position generally receive little sympathy from data protection regulators, and often receive fines and other penalties for having inadequate incident response approaches.
This is both expensive and reputationally harmful for organisations already trying to repair the damage caused by the initial data breach incident.
A new approach?
The most robust methodologies for assessing the severity of a data breach incident combine European Data Protection Board guidance, ENISA (the European Union Agency for Cybersecurity) guidance and first-hand experience of handling multiple data breaches.
But even the best approaches tend to rely on multiple documents and manual data collection and re-entry.
By transferring this methodology to a smart, cloud-based, customisable platform that allows users securely and easily log, assess and track data breach incidents, organisations can remove many of the pain points typically experienced using manual processes.
The Fieldfisher Data Breach Manager has been designed with both user experience and regulatory requirements in mind.
It allows users to hand the workflow over to different users in the organisation and accommodate data entry from multiple sources, while maintaining an auditable log of what has been changed and when.
The Fieldfisher Data Breach Manager can accommodate existing data collection and analysis methodologies and formats, in different languages, with a simple drag and drop function allowing users to easily upload information.
As well as being a secure resource for organisations, the Fieldfisher Data Breach Manager also allows users to share the data collection and analysis process with external legal advisers and forensic experts, with confidentiality settings allowing users to control how much information is shared.
It also allows users to automatically generate reports in any format, drawing the right data from the organisation's data breach log and presenting it in a clear visual way.
As well as putting organisations in a strong, defensible position when dealing with the regulator, the Fieldfisher Data Breach Manager also supports regular business intelligence reporting by DPOs to company boards.
More information and the opportunity to request a demo of the Fieldfisher Data Breach Manager is available here.