Reporting a Data Breach – When & How?

A data breach occurs when the data for which my organization/ company is responsible suffers a security incident resulting in a breach of confidentiality, availability, or integrity. If my company or organization is a data processor, it is required to notify the data controller of any data breach. Unless there are strong technological and organizational protection measures in place or other measures that demonstrate that the danger is no longer likely to materialize, if the data breach poses a high risk to people impacted, they should all be informed. To avoid probable data breaches, it is critical for an organization to establish proper technical and organizational procedures.

Provisions under the GDPR for reporting a Data Breach

GDPR is a broad set of data privacy rules that define how an organization must handle and protect the personal data of the organization’s employees and users. The regulation also outlines the way that organizations can report a data breach. The procedures for breach notification are outlined in Articles 33 and 34 of GDPR, however, most organizations are still uninformed of their obligations. Businesses frequently miss details such as what an organization should notify, when it should report it, to whom it should be reported, and what should be included in the breach notification. Significant fines may be imposed as a result of this negligence.

In the event of a data breach, the firm has many critical responsibilities as a Data Controller, including taking necessary actions and alerting concerned authorities and affected persons. Let’s start with a definition of a personal data breach, as defined by the GDPR Regulation.

What is a Personal Data Breach?

“Personal data,” as defined by GDPR, is any information about a natural person, such as their name, contact information, or health records, as well as comparable identifying information. A data breach occurs when personal data is accidentally or unlawfully destroyed, lost, altered, unauthorized disclosed, or accessed. When an unauthorized person or a cyber-criminal gains access to an organization’s database, whether by incursion or through the negligence of an employee managing sensitive personal data, a data breach occurs. GDPR frames a personal data breach as an incident that eventually results in the accidental loss or destruction of data or the unauthorized disclosure, alteration, or access to personal data of EU citizens.

Timeline for reporting a Data Breach

While it is important that the data breach incident be reported, it is also essential for organizations to understand that not all information security incidents are classified as personal data breaches. If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, my organization has to notify the supervisory authority without undue delay and at the latest within 72 hours after having become aware of the breach. 

Who should be notified about the Data Breach?

Once a personal data breach has been found, companies must report the breach to the appropriate supervisory body in line with Chapter 6 of GDPR. According to GDPR, if a company does not have a legally established presence in the EU but yet has an event involving EU citizen data, it must notify the local regulatory authorities of each Member State in which it operates and is affected by the incident.

The organization must also notify all impacted individuals after alerting the supervisory authority. They should, at the absolute least, make a statement informing them that an incident has occurred. Although it is not expressly stated in the law, an organization can exhibit greater transparency by creating a website and a toll-free hotline for individuals to contact in order to learn more about the incident and have their questions answered.

Contents of a Data Breach Notification under the GDDPR

While the organization must notify the relevant supervisory authority and the affected individuals, it is also important to include necessary information concerning the data breach incident. Some of the details that should be included in the data breach notification include:

1. When the breach incident occurred and how it was discovered.
2. The categories or types of personal data that were affected.
3. The severity of the breach both in terms of records lost and the number of people affected.
4. The potential impact of the breach on data subjects.
5. The impact to the organization in terms of services provided to users.
6. Recovery time from the impact of the data breach.
7. Measures are taken to remediate and prevent such an incident in the future.
8. Name and contact details of the Data Protection Officer (DPO) for obtaining further information about the breach incident.

Steps to be taken in case of a Personal Data Breach

1. SECURE OPERATIONS
   a. You must act immediately to secure your systems and to address any vulnerabilities that may have contributed to the incident. Only several data breaches are worse than a single data breach. Take steps to prevent it from happening again.
   b. Secure any physical areas that may have been affected by the breach. If necessary, lock them and alter the access codes, and consult forensic experts, and law enforcement to determine whether it is safe to restart normal operations.
   c. To avoid further data loss, immediately mobilise your breach response team. The specific procedures to take will be determined by the nature of the breach as well as the structure of my company.
   d. Assemble a team of experts to conduct a comprehensive breach response. Depending on the size and nature of your company, they may include forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management.
   
2. FIX VULNERABILITIES
   a. Network segmentation is required. When building your network, you probably segregated it such that a compromise on one server or site wouldn’t result in a breach on another server or site. Analyze whether my segmentation plan was effective in containing the breach with the help of forensics experts.
   b. Check to see if any security measures, such as encryption, were in place at the time of the intrusion. Examine any data that has been saved or backed up. Examine logs to see who had access to the data at the time the incident occurred. Also, look at who has access now, see if it’s necessary, and if it isn’t, limit access.
   c. Verify the types of information compromised, the number of people affected, and whether you have contact information for those people. When you get the forensic reports, take the recommended remedial measures as soon as possible. 
   d. Have a communications plan. Create a comprehensive plan that reaches all affected audiences — employees, customers, investors, business partners, and other stakeholders. Don’t make misleading statements about the breach. And don’t withhold key details that might help consumers protect themselves and their information. Also, don’t publicly share information that might put consumers at further risk.
   e. Anticipate questions that people will ask. Then, put top-tier questions and clear, plain-language answers on your website where they are easy to find. Good communication upfront can limit customers’ concerns and frustration, saving myr company time and money later.

Conclusion

Every firm must adhere to the GDPR’s Breach Notification regulations. While this does not mitigate the incident’s outcomes, it does help to mitigate the incident’s impact and escalation. It can be viewed as a solution for businesses to reduce the danger of personal data breaches.

Because regulators acknowledge that a thorough investigation of a personal data breach can’t be completed in 72 hours, Article 33(4) allows companies to release essential information in phases without undue delay. However, organizations must expedite the process, prioritize the inquiry, and provide further information as quickly as possible. If all of the details are not provided within 72 hours, the organization must provide a valid cause for the delay as well as a timeline for completion.