How prepared are you for the inevitable personal data breach? Did you know that good preparation can double your chances of not having a breach at all?
Cisco’s excellent 2020 Data Privacy Benchmark Study – highly recommended – as well as noting an average 2.7 times ROI on Privacy spend (3.5 in the UK), noted that organisations that scored higher for Privacy maturity:
Now that sounds great to us! So we’re going to look at the Seven Steps to Prepare for a Breach that you can take to reduce the chances of having one, reduce the impact when you do, and react rapidly and in compliance with GDPR.
And you can watch our free video ‘7 Steps to Prepare for Personal Data Breach’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.
Two points to note:
Privacy really is a team sport, and you’ll need a team to plan how to prepare for a breach and then carry out that preparation. And that preparation, can be summarised in our remaining six steps:
Typically, the lead person is your Privacy Champion, the person looking after GDPR in your organisation. They know most about GDPR. They’ll know about the tests and the obligations in GDPR, the factors for GDPR risk assessments, and they’re probably going to be the one notifying the regulator and individuals if you have to.
The second key person is your Head of Security because, as we saw in our video, ‘‘Personal Data Breaches & GDPR‘, every personal data breach starts with a security breach. They’re going to know what security risks are, how to assess them, and they’ll be the lead on remediation and your technical reaction when there is one.
Now, depending on the size of the organisation, these may be the same person – they may be you! In a large organisation, they may delegate to team members. And you may have a slightly different team for actually reacting when you do have a breach.
Now your Privacy Champion will lead here, and may have already carried out their personal data inventory. The full inventory will tell you where personal data lives in your organisation and the key security information: who has access, who’s it shared with and why, all through the data lifecycle from storage through to destruction or anonymisation at the end.
Now, GDPR’s Article 30 does require you to keep certain records of processing. These ‘Article 30 Records’ are summary records only. Your actual inventory, or Data Map, will have much more information. You’ll want to be looking at your full inventory.
Keepabl’s Privacy SaaS can really help you here, and with all these steps.
Now you know where the personal data is and what happens to it, you can do risk assessments, which in Privacy are called Privacy Impact Assessments – or PIAs for short – because you’re looking at the impact on individuals from your processing of their personal data.
Now we looked at risk in the GDPR and impact assessments in separate videos. So the biggest point to make here is the different approach to risk:
ENISA, the EU Agency for Cybersecurity, recognises this in their Guidelines for SMEs on Security of Personal Data Processing and their Handbook on Security and Data Processing, which are great with risk assessment with real life examples – highly recommended.
Now, of course, GDPR may not care about risks to your organisation, but you do! And you’ll need to consider enterprise risk as well as risk to data subjects as you go.
Now, after recognising the different approach to risk, you can borrow a lot from Security’s best practices. Indeed, GDPR borrows the famous ‘CIA triad’ from Security:
They’re the three types of breach in GDPR, and they help you categorise those risks.
In their Guide on GDPR and Security, the UK ICO notes that you do need to look at the CIA triad, and it goes on, for risk assessments, to recommend you review:
And the UK ICO names some factors to take into account, such as:
Again, those ENISA documents are interesting at looking at risk as well.
Your risk assessments will identify remediation actions on both the enterprise and individual risks, which the team will then implement, helped by others as appropriate. In GDPR-speak, you must implement ‘appropriate technical and organisational measures‘, and the ‘appropriate’ part is appropriate to the risk to individuals.
And, again, it’s good to document these, because the UK ICO notes, it’s required to consider the measures that you had in place when considering an administrative fine if you have a breach.
Now, both the UK ICO and ENISA note there’s no ‘one size fits all’ approach to Security. But you can look at both the physical security as well as the cybersecurity aspect.
We’ll be looking at Security in more detail in other videos – it’s a huge topic – but we always recommend these typical top measures to reduce GDPR risk:
The UK ICA and ENISA – all linked to below – give further examples.
Your Privacy Champion will take the lead here, but as we noted in our video, ‘‘Personal Data Breaches & GDPR‘, every personal data breach starts with a breach of security. So your Personal Data Breach Response Plan will have to dovetail with, and at least be tightly connected to, your existing Security Incident Response Procedure.
Now a good, clear procedure – believe me – it really helps in the heat of the moment so do take some time on it. A good procedure will help to:
Now, on notifications, bear in mind, it’s not just GDPR you’ll be considering – you’ll have other regulatory, contractual and moral obligations to consider. Do you notify individuals, partners, customers, insurers, regulators or even other authorities?
Now, definitely everyone needs training on Security and Data Protection, and breach is a clear crossover point. But training needs to be appropriate for each role, so everyone will have basic training, the response team will need to know it all, and there will be some people in the middle.
If you do have a breach and you do need to notify it to the UK ICO, their ‘Report a breach‘ form asks if those who have been involved had data protection training in the last two years – so this is something you need to do. We recommend training new joiners and then annual refreshers.
And the awareness part can be very simple and very effective, and a lot more fun! You can put some posters about, and the occasional notice during all hands calls work wonders. Tabletop exercises, often called wargames, are great fun. They’re good for team building and they get people role-playing real-life breach situations.
OK, the final part!
This final part is to make sure you keep all this hard work alive by periodically reviewing it all – reviewing the risks, reviewing your security measures, revealing your policies, reviewing your training, make sure everything is just kept going along and keep that governance going.
And a quick word on tools to use. So, really, it’s whatever works for you. Yes, you can use spreadsheets to do this. Yes, we’re obviously going to say SaaS is better. But if you look at, say, Xero for finance, Salesforce for CRM tools, if you look at Bamboo for HR, SaaS just makes stuff easier. But do have a look at the market. Do find what works for you.
And one big thing though is, if you have a process that works at the moment, really think carefully before you ditch it. Try and find something that works with the process you have.
So there you go – Seven Steps to Prepare for Personal Data Breach!
Please do look at our other Privacy Kitchen videos such as ‘Personal Data Dreaches & GDPR‘
Please do get involved, and use #privacykitchen to tell us the topics and questions you want us to cover.
Stay well in the meantime, and we look forward to seeing you in Privacy Kitchen soon!
UK ICO on Breaches and GDPR
UK ICO on Security and GDPR
The EU Agency for Cybersecurity (ENISA)’s Guidelines for SMEs on the security of personal data processing
The EU Agency for Cybersecurity (ENISA)’s Handbook for Security in Data Processing
Many get the Privacy rules on email marketing wrong. For a start, they’re not in GDPR as commonly thought, they were set out in the EU e-Privacy Directive, which means…