What to do in a data breach

 data breaches Data Security Cybersecurity Cloud Digital Security GDPR Encryption Digital Identity and Security Review

​While authorities may have been lenient in the first year of GDPR's introduction, organizations should now expect tougher penalties.

On 22 May 2019, the European Commission published an infographic on compliance with and enforcement of the GDPR since it came into effect in May 2018, and it is clear that a lot of work still needs to be done. 

In the last month, British Airways has been fined £183 million ($US229.6 million) for failing to protect people's personal data, Marriott International hotel group has been told to pay out just over £99 million ($US124 million) and credit reference agency Equifax has agreed a US$700 million penalty.  

With GDPR aiming to give citizens back control of their personal data, organizations need to increase data security measures to comply, including employing multiple encryption methods on-site and in the cloud, guaranteeing strong key management; and verifying the legitimacy of user identities.

But what should an organization do if – despite its best efforts –  a data breach occurs?

1. Contain it

As soon as an organization is aware that a data breach has taken place, it should stop any further breach of this data. 

2. Report it

Where a breach is likely to pose a risk to the rights and freedoms of those affected, organizations must report it to the relevant authority within 72 hours of becoming aware of it. Because a breach can have a range of effects on individuals, including emotional distress and physical and material damage, each breach should be assessed on a case-by-case basis.

3. Acknowledge it

If the breach is deemed to result in a high risk to individuals' rights and freedoms, those directly affected must be informed as soon as possible, so they can take their own steps to mitigate the effects of the release of their personal data. According to the Information Commissioner's Office (ICO), 'high risk' means the threshold for informing affected individuals is higher than for notifying the authorities.

4. Explain it

When reporting a breach, organizations must provide information on its nature, including:

  • The categories of the breach and the number of individuals and personal data records concerned
  • The name and contact details of an individual who can provide more information – this is your data protection offer if you have one
  • An outline of the likely consequences
  • A description of the measures already taken or due to be taken to deal with the breach.

5. Document it

Even if a breach doesn't need to be reported, organizations must record any breach that occurs.

By putting in place detection, investigation, and internal reporting procedures, and having checklists for breach preparation and response, businesses will have the information required to make decisions about reporting – within and outside of the organization – and be able to respond to a data breach as set out by the GDPR.

Related contents:

All articles

Get in touch with us

For more information regarding our services and solutions contact one of our sales representatives. We have agents worldwide that are available to help with your digital security needs. Fill out our contact form and one of our representatives will be in touch to discuss how we can assist you.

Please note we do not sell any products nor offer support directly to end users. If you have questions regarding one of our products provided by e.g. your bank or government, then please contact them for advice first.