One of the more challenging aspects of the GDPR will undoubtedly be the requirement to report breach notifications to the supervisory authority within 72 hours of becoming aware of the breach (see Article 33).
Within GDPR, there is an important clarification to note for the meaning of “data breach.” A “personal data breach” should be addressed differently than a normal “data breach.” It is not legally required to report on a “data breach,” but in the event of a personal data breach, things change with the risk of penalties for non-compliance.
Additionally, Article 34 requires that “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”
If you’re keeping track, that’s two new requirements under GDPR related to reporting security breaches.
So, how does the GDPR define a personal data breach? And, how should you go about reporting one should it occur? Furthermore, how do you prepare for a breach so that, if one does occur, you have procedures in place to respond and report it appropriately?
Preparing for and responding to personal data breaches is not just a requirement of the GDPR; it’s a good business practice in general. Here’s a practical checklist for preparing for and responding to personal data breaches in accordance with the GDPR.
Preparing for a Breach
1. Understand how the GDPR defines a “personal data breach.”
The GDPR’s definition of a data breach is not patently different from typical definitions, but it’s important to know the standard you’ll be held to should one occur.
According to the official text, a “’personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”
2. Locate and document data on your network/systems.
Next, you’ll need to know what’s at risk. Where does your organization store personal data? All departments should collaborate to ensure no personal data or potential weak spots are overlooked.
Once you’ve determined where personal data resides, document its location and the controls in place to prevent unauthorized access to it. Review these controls and ensure they are sufficient because the one thing better than correctly responding to a breach is not experiencing one in the first place.
3. Implement controls to help prevent and identify breaches.
To prevent security breaches, ensure your organization is following proper information security hygiene as well as conducting regular security awareness training for employees so they can identify potential attacks.
Additionally, make sure you’re consistently testing the perimeter security of your network with internal and external penetration tests and vulnerability scans. This can help identify and correct potential weak spots in a safe, controlled environment.
You may already have appropriate firewall configuration and network segmentation controls in place, but also make sure you’re performing network monitoring and reviewing logs on a regular basis for suspicious behavior. Additionally, train personnel to identify the signs of a breach, and report breaches correctly within your organization.
One aspect of the GDPR that differs from other regulatory or compliance requirements is the mandate that personal data breaches must be reported to the supervisory authority within 72 hours.
This being the case, it’s important to configure your breach notification services to alert early enough to enable fulfillment of this minimal reporting window.
4. Perform tabletop incident response tests.
Assuming you’ve already implemented an incident response plan, make sure you’re testing it regularly. The goal is not necessarily to perform the most thorough test imaginable, but to ensure all involved employees have a clear understanding of their responsibilities should a breach occur.
Responding to a Breach
1. Identify the extent of the breach.
Regardless of how the breach was detected, one of the first things you’ll need to do is determine its extent. What’s the nature of the breach? What sort of information was disclosed, altered, deleted, etc.? What is the approximate number of data subjects concerned and the categories and approximate number of data records concerned?
Refer to your incident response plan to identify which personnel are responsible for breach discovery and analysis. Your incident response plan should also include potential consequences of a breach and mitigation strategies based on the type of information compromised. So, once you’re aware of a breach, begin following the mitigation strategies outlined in the plan. This might mean taking databases offline or blocking all remote access until you know the extent of the breach.
2. Identify to whom you need to report the breach.
While the GDPR introduces strict breach notification requirements, it’s worth noting that strong encryption can help maintain the integrity of your data should you experience a breach. It can also help you make the case that a breach is unlikely to be damaging to users since the data is unusable unless decrypted.
That said, any personal data breach, unless it “is unlikely to result in harm to the data subject,” is required to be reported to the supervisory authority within 72 hours of discovery (see Article 33).
In many cases, U.S. companies affected by the GDPR are service providers, acting on behalf of companies in the EU. If you fall into this category, you’re a data processor, and you would report a breach to the EU company with whom you’re doing business. That company would then be responsible for reporting the breach to the appropriate supervisory authority.
However, if you’re a data controller, i.e. your company “determines the purposes and means of the processing of personal data,” you are responsible for reporting directly to the regulatory body of each EU country with whom you do business. (See Article 4 for “controller” and “processor” definitions.)
Breaches are also required to be reported to data subjects “without undue delay” if “that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person” (see Article 34).
However, if you are able to prove any of the following, you are NOT required to notify data subjects of a breach (according to Article 34):
- “the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular, those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialize;
- it would involve a disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.”
Note: The above exceptions apply only to data subjects, NOT the supervisory authority.
Any breach must be reported to the supervisory authority unless it meets the exception noted in Article 33 (“unlikely to result in harm to the data subject”).
3. Report the correct information to appropriate people within the required timeframe.
The GDPR also specifies what information should be reported when notifying either the supervisory authority or data subjects of a breach. When reporting to the supervisory authority, your notification should (according to Article 33):
- “describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.”
When notifying data subjects of a breach, the notification must “describe in clear and plain language the nature of the personal data breach,” (see Article 34). You must also adhere to items B, C, and D of Article 33 noted above.
Breach notifications must be handled transparently and clearly with both supervisory authorities and data subjects. Failure to do this not only makes you non-compliant with GDPR regulations but risks damaging your organization’s reputation.
Ensure the incident response plan includes breach communication principles, including the following:
- Center communication around facts, not speculation.
- Ensure information communicated is consistent.
- Provide customers an avenue to learn about the breach and inquire about their data.
As mentioned, breaches must be reported to supervisory authorities within 72 hours of discovery and to data subjects “without undue delay” (see Articles 33 and 34).
The breach notification requirements set forth by the GDPR present new and unique challenges. LBMC Information Security’s computer incident response services can help you plan and execute a GDPR-compliant incident response plan.