Data breach reporting rockets under GDPR
We have been living with The General Data Protection Regulation (GDPR) for 3 months now, and while we are a long way off assessing the full implications of what a new era of tighter privacy regulation, enhanced data subject rights and a much more stringent enforcement regime in Europe really means for our economy, there are some interesting early indications of the scale of changes for businesses when it comes to data handling and dealing with issues.
One area is data breaches, where the Information Commissioner's Office (ICO) have seen 1,750 breach reports in June, up from 400 in April, according to their recent webinar. A data breach is the intentional or unintentional release of secure or confidential information in an unauthorised manner; a common breach might expose sensitive data or credit card numbers, for example.
So why have data breaches quadrupled since May? Well, the GDPR asks that high risk data breaches (if it's likely to result in a risk to individuals' rights and freedoms) are reported with 72 hours, from when an organisation has become aware of the breach. So while not all breaches need to be reported to the ICO, businesses need to have mechanisms and capability in place to detect, assess and remediate the issue. And as a business, you'll need to think about how you would contact the individuals involved too, which is part of the new requirements.
Speed, communication, the right expertise, information and capability, and good decision making by leaders and employees, all becomes crucial if there is high risk data involved.
"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55 unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay". (GDPR)
At Sympatico we believe 'forewarned is forearmed'. There is a spectrum of data breaches, but whatever the cause or impact, it's critical to plan and remediate for risks in our data driven organisations and economy. There's no point sticking your head in the sand, be rational and think back from the worst scenario for your business and map out a game plan: think about what you would do, how you would respond, critical roles in your business and what you can do today to gear up. Be realistic about what capability (compliance, security, IT, communications, people, processes) you do and don't have now and where the gaps are.
If you need more help, Sympatico offer in house Data Breach and resilience consultancy, GDPR compliance and business resilience maturity assessments, and team or executive training as part of our Data Protection Officer (DPO) and Privacy on demand services.
We will also be covering how to respond to a data breach for dental or medical organisations at our DPO Masterclass in Edinburgh on 30th August.