Handling GDPR Authorities After a Breach

Security Breach

How to Handle GDPR Authorities Following

How to Handle GDPR Authorities Following a Security Breach

Despite being implemented in 2018, it’s not uncommon for organizations to fail to follow the guidance set forth by the General Data Protection Regulation (GDPR). In fact, hundreds of organizations have fallen short, contributing to $126 million in fines in 2020. We’ve seen an increase in the number and size of fines and in relation, we’ve also seen an increased focus on data privacy within organizations.

GDPR affects almost every organization that conducts business in Europe. GDPR’s scope is very clear: any entity, which collects or processes personal data from residents of the EU must be compliant with GDPR. Collecting or processing data outside of the EU does not give you a pass on GDPR as you might still process personal data from EU residents.

As per GDPR, you need to have appropriate technical and organizational measures (TOMS) in place to safeguard personal data within your organization, but this cannot fully prevent a data breach from happening. GDPR regulations take data breaches very seriously. If you do not properly report a data breach, your business could face fines depending on the severity of your infraction.

Consequently, you must know how to deal with the authorities immediately following a data breach or attack. Let’s break down the basics of how to handle GDPR authorities after you experience a cybersecurity incident.

Know Your Roles

Before you can understand how to interact with GDPR authorities, you should first know the roles and responsibilities that are recommended under the GDPR. Let’s take a look:

Controller

The controller of an organization is the person or legal entity that determines the purposes and means behind processing personal data. In some cases, organizations have joint data controllers, where two or more controllers determine the purposes and means of the same data for the same purpose. Above all else, the controller’s biggest responsibility is to hold the organization accountable and make sure it is aligned with GDPR.

Processor

The processor is the person - or legal entity - who processes personal data on the behalf of the controller. The core responsibility of the processor is to ensure that conditions specified in the Data Processing Agreement are always met. This also requires that obligations stated in GDPR are complied with as well.

Data Protection Officer

The Data Protection Officer (DPO) is another role required by GDPR. The DPO must oversee the initial approach, overall strategy, and implementation of data protection initiatives. The key responsibility of the DPO is to ensure GDPR compliance and advise the organization on how to stay within compliance. Companies can choose to outsource the DPO role to an external privacy services company. There can be many reasons for choosing an internal or external DPO.

Supervisory Authority

The Supervisory Authority - or sometimes known as a Data Protection Authority - is essentially a public authority in a European country that is responsible for monitoring compliance with GDPR. The core role of the Supervisory Authority is advising organizations about GDPR, conducting audits on GDPR compliance, addressing complaints, and issuing fines if GDPR requirements have not been met. An overview of all authorities can be found here.

In the Event of an Attack

Now, let’s consider a scenario: your organization has contracted an IT services firm to help you handle customer data in a way that is compliant with the GDPR. Your organization is the controller, and the IT services firm is the processor.

As the IT firm is archiving and storing customer data, they experience a data breach of an unknown origin. Now, all the personal data that you entrusted that firm with is open and at risk for unlawful access. Thankfully, since the IT firm is fairly reputable and knowledgeable of GDPR guidelines, they immediately notify your organization and relevant authorities of the breach.

What Happens Next

Once you’ve been given the bad news, the first thing you must do is assess the risk involved. How many people could this breach harm, and how badly? Are people’s rights and freedoms at risk? The definition of “people’s rights and freedoms” can be a bit unclear, so recital 85 provides some clarification on this.

If you still aren’t sure, you could take this self-assessment created by the Information Commissioner's Office to help you decide. If you have found that the risk is great enough, you must involve the supervisory authorities and notify the people at risk without delay. A high-risk situation, in particular, means that you must notify the people at risk as soon as possible. This will help allow those affected to take measures to protect themselves.

When reporting a breach, you have to follow the rules carefully. While experiencing an attack is nerve-wracking in and of itself, you must follow GDPR guidelines to the letter. GDPR requires organizations to take certain decisive steps within a short window of time. Therefore, it is important that your IT, Security and Legal teams work together within your organization and have agreed upon a process to follow when a data breach occurs. You should ideally notify authorities immediately, but you have up to 72 hours to report. If you take longer than that, you will have to provide the authorities with a valid reason why you were delayed. Controllers and processors should be in constant communication regarding their progress in reporting so that neither party exceeds the time limit in the event of a breach.

To report a breach, you have to call the Supervisory Authority within your region. At a minimum, you should provide the following when reporting a breach:

  • describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach;
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

After you’ve talked to the authorities, they will help you identify the proper next steps which vary widely depending on the exact circumstances of your breach. They may take regulatory action, identify data security incident trends, or even share it with law and cybercrime agencies. Keep in mind that honesty is always the best policy – if you delay or give incomplete information, you could face hefty fines.

It’s not always easy to determine the right action to take within the context of GDPR – and it’s even more difficult to take the appropriate actions following a disorienting data breach.

A data breach or cyberattack can throw your entire organization off kilter, but by staying abreast of the best practices for reporting a breach to GDPR authorities, you will be able to act quickly in the event of a cybersecurity incident. This won’t only keep you in the good graces of GDPR authorities – it will give you more time to overcome any setbacks put forth by the cyberattack itself.

SoftwareONE can help to keep your (personal) data safe with our security solutions. However, we do not provide legal services around GDPR.

The Threat of Cyberattacks is Ever-Increasing

Our managed security services can help protect your organization against a variety of cyber threats while shoring up a holistic approach to cybersecurity.

Learn more
  • Cybersecurity, Managed Security
  • GDPR, Cyber Threats, Data Breaches

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment

Author

Bala Sathunathan

Bala Sethunathan

Director, Security Practice & CISO

Cybersecurity

Related Articles

cyber-security-update-august-2021
  • 15 September 2021
  • Bala Sethunathan
  • Cybersecurity, Managed Security, Cyber Threat Bulletin, Cybersecurity User Awareness
  • Cyber Threats, Ransomware, Vulnerability Management

Cyber Security Update August 2021

Accenture and Bangkok Airways suffer from a LockBit Ransomware Attack. Learn why ransomware attacks have become a favorite form of attack.

cyber-security-update-july-2021
  • 09 August 2021
  • Bala Sethunathan
  • Cybersecurity, Managed Security, Cyber Threat Bulletin, Cybersecurity User Awareness
  • Cyber Threats, Physical Security Risks

Cyber Security Update July 2021

At least one in three reported data breaches involved an insider. Accidental and malicious insider risk can cost businesses 20% of their annual revenue.

End of Life Software is a Bad Idea

Why Using End of Life Software is a Bad Idea

It is imperative that organizations understand how to reduce the risks EOL software poses and prepare to upgrade solutions that are nearing their EOL date. Learn more.