Despite being implemented in 2018, it’s not uncommon for organizations to fail to follow the guidance set forth by the General Data Protection Regulation (GDPR). In fact, hundreds of organizations have fallen short, contributing to $126 million in fines in 2020. We’ve seen an increase in the number and size of fines and in relation, we’ve also seen an increased focus on data privacy within organizations.
GDPR affects almost every organization that conducts business in Europe. GDPR’s scope is very clear: any entity, which collects or processes personal data from residents of the EU must be compliant with GDPR. Collecting or processing data outside of the EU does not give you a pass on GDPR as you might still process personal data from EU residents.
As per GDPR, you need to have appropriate technical and organizational measures (TOMS) in place to safeguard personal data within your organization, but this cannot fully prevent a data breach from happening. GDPR regulations take data breaches very seriously. If you do not properly report a data breach, your business could face fines depending on the severity of your infraction.
Consequently, you must know how to deal with the authorities immediately following a data breach or attack. Let’s break down the basics of how to handle GDPR authorities after you experience a cybersecurity incident.
Before you can understand how to interact with GDPR authorities, you should first know the roles and responsibilities that are recommended under the GDPR. Let’s take a look:
The controller of an organization is the person or legal entity that determines the purposes and means behind processing personal data. In some cases, organizations have joint data controllers, where two or more controllers determine the purposes and means of the same data for the same purpose. Above all else, the controller’s biggest responsibility is to hold the organization accountable and make sure it is aligned with GDPR.
The processor is the person - or legal entity - who processes personal data on the behalf of the controller. The core responsibility of the processor is to ensure that conditions specified in the Data Processing Agreement are always met. This also requires that obligations stated in GDPR are complied with as well.
The Data Protection Officer (DPO) is another role required by GDPR. The DPO must oversee the initial approach, overall strategy, and implementation of data protection initiatives. The key responsibility of the DPO is to ensure GDPR compliance and advise the organization on how to stay within compliance. Companies can choose to outsource the DPO role to an external privacy services company. There can be many reasons for choosing an internal or external DPO.
The Supervisory Authority - or sometimes known as a Data Protection Authority - is essentially a public authority in a European country that is responsible for monitoring compliance with GDPR. The core role of the Supervisory Authority is advising organizations about GDPR, conducting audits on GDPR compliance, addressing complaints, and issuing fines if GDPR requirements have not been met. An overview of all authorities can be found here.
Now, let’s consider a scenario: your organization has contracted an IT services firm to help you handle customer data in a way that is compliant with the GDPR. Your organization is the controller, and the IT services firm is the processor.
As the IT firm is archiving and storing customer data, they experience a data breach of an unknown origin. Now, all the personal data that you entrusted that firm with is open and at risk for unlawful access. Thankfully, since the IT firm is fairly reputable and knowledgeable of GDPR guidelines, they immediately notify your organization and relevant authorities of the breach.
Once you’ve been given the bad news, the first thing you must do is assess the risk involved. How many people could this breach harm, and how badly? Are people’s rights and freedoms at risk? The definition of “people’s rights and freedoms” can be a bit unclear, so recital 85 provides some clarification on this.
If you still aren’t sure, you could take this self-assessment created by the Information Commissioner's Office to help you decide. If you have found that the risk is great enough, you must involve the supervisory authorities and notify the people at risk without delay. A high-risk situation, in particular, means that you must notify the people at risk as soon as possible. This will help allow those affected to take measures to protect themselves.
When reporting a breach, you have to follow the rules carefully. While experiencing an attack is nerve-wracking in and of itself, you must follow GDPR guidelines to the letter. GDPR requires organizations to take certain decisive steps within a short window of time. Therefore, it is important that your IT, Security and Legal teams work together within your organization and have agreed upon a process to follow when a data breach occurs. You should ideally notify authorities immediately, but you have up to 72 hours to report. If you take longer than that, you will have to provide the authorities with a valid reason why you were delayed. Controllers and processors should be in constant communication regarding their progress in reporting so that neither party exceeds the time limit in the event of a breach.
To report a breach, you have to call the Supervisory Authority within your region. At a minimum, you should provide the following when reporting a breach:
After you’ve talked to the authorities, they will help you identify the proper next steps which vary widely depending on the exact circumstances of your breach. They may take regulatory action, identify data security incident trends, or even share it with law and cyber crime agencies. Keep in mind that honesty is always the best policy – if you delay or give incomplete information, you could face hefty fines.
It’s not always easy to determine the right action to take within the context of GDPR – and it’s even more difficult to take the appropriate actions following a disorienting data breach.
A data breach or cyber attack can throw your entire organization off kilter, but by staying abreast of the best practices for reporting a breach to GDPR authorities, you will be able to act quickly in the event of a cyber security incident. This won’t only keep you in the good graces of GDPR authorities – it will give you more time to overcome any setbacks put forth by the cyber attack itself.
SoftwareOne can help to keep your (personal) data safe with our security solutions. However, we do not provide legal services around GDPR.
Our managed security services can help protect your organization against a variety of cyber threats while shoring up a holistic approach to cyber security.
Our managed security services can help protect your organization against a variety of cyber threats while shoring up a holistic approach to cyber security.
