The EU GDPR (General Data Protection Regulation) is in full swing and there has already been a rise in reported data breaches, with the number of leaked records amounting to 145,942,680 in June compared to 17,273,571 in May. So, what does this mean for organizations that have already suffered a data breach?
A data breach could damage your reputation and you may face hefty regulatory fines.
Don’t allow your organization to fall victim to a cyber attack. Vacation season is well under way, so be sure to apply your SPF (security protection factor) and get yourself and your team #BreachReady!
High-profile data breaches such as Yale University and Facebook are reminders that the globalized world we enjoy gives cyber criminals the opportunity to hone their skills for more sophisticated hacking and phishing attacks.
Having a data breach contingency plan is essential in preparing for a cyber attack, should the worst-case scenario happen.
The GDPR, NYDFS Cybersecurity Requirements, and DFARS (Defense Federal Acquisition Regulation Supplement) require data breaches to be reported to the supervisory authority within 72 hours of discovery. Let’s say the GDPR applies to you…
What can you do to prepare?
- Understand the GDPR’s requirements, as well as how your organization collects, stores, and uses data. Knowing the data flow through your organization will help you to understand the potential weak spots and where you can focus your efforts
- Ensure that your privacy notice clearly explains to your customers, suppliers, and partners how and why you store their data and for what purposes
- Human error poses one of the biggest security risks – it’s all too easy to accidentally click a link in a well-constructed phishing email. It is therefore vital to ensure that your staff are trained appropriately, with annual refreshers to maintain awareness
As well as helping to reduce risk, undertaking these steps will help you understand your state of readiness to respond to an incident. It is important to shift your thinking – data protection and cybersecurity are no longer just IT issues. They are business issues that can derail an organization.
What must you report if you suffer a data breach?
Under the GDPR, organizations from all over the world that fall within scope must designate a representative in the EU. If your organization is registered in the UK, your supervisory authority is the ICO. To report a breach, you can either call the ICO’s helpline or fill out an online form.
When reporting a breach, you should include:
- As much detail as possible about what happened, what went wrong, and how it happened
- An assessment of the data affected, including the categories of personal data and the number of records concerned
- A description of the possible impact on data subjects
- A report of staff training. Specifically, has the staff member involved in the breach received data protection training in the past two years?
- A description of the actions you have taken or propose to take
- A report of any oversights by the DPO (data protection officer), or the senior person responsible for data protection in your organization
This level of reporting, within the 72-hour timeframe, will be easier to create if your organization is GDPR compliant.
However, if you’re not yet GDPR compliant, now is the time to start getting #BreachReady!
Visit our data breach reporting page to understand more about what you need to do. If you still have any questions, contact our team for friendly, expert advice.