- Wednesday 22 August 2018
Since the General Data Protection Regulation (GDPR) was passed into law in May 2018 there have been an average of 592 data breaches reported monthly resulting in 476 actual data cases each month. These figures from the Office of the Data Protection Commissioner in Ireland are significantly higher than those recorded in 2017 when the average monthly number of data breach cases was 230. While organisations take measures to protect themselves from incidents such as data breaches, we can see from the news that even the most diligent of organisations can be susceptible to risk. The most recently reported security breaches demonstrate that large, tech-savvy companies are not immune to incidents - there are no set of security measures completely infallible to a breach.
Fiona Ryan, Spearline’s Head of Customer Engagement tells us what businesses of today have to consider when creating a plan of action to deal with the aftermath of a data breach.
STEPS TO TAKE TO PREPARE YOUR BUSINESS FOR A BREACH
Build an internal incident response team
Ensure that there is a cross-functional team trained, aware and ready to spring into action quickly when an incident or breach is detected. This team will more than likely be led by the Data Protection Officer (DPO) or Data Champion within the business. The team should include key players from IT, Legal, Risk, Privacy, PR, Marketing and Customer Service departments. Ensure that this team is trained in security and data protection and most importantly, have been made involved in the organisation’s data protection compliance efforts.
Review existing policies and procedures around incident response
Your organisation’s policies will become the foundation of your incident response plan. Ensure that the policies are reviewed either by an individual in your organisation from the legal compliance side of the business or, alternatively that they have been assessed by an external consultant in this sphere.
Implement an Incident Response plan
Your incident response plan is an exercise in crisis management. Your commercial reputation will be protected if your organisation can demonstrate that any incident which could arise has been considered, mitigated and that a plan is in place should an incident occur. The demonstration of a proactive approach will put you on a stronger foothold with your supervisory authority as well as reassuring your stakeholders that you are invested in good data protection governance. Poor handling of a crisis will leave a bad impression in the minds of key stakeholders and the damage to your organisation could be more severe and take longer to recover from.
Simulate an incident and put your plan into practice
There may be a number of different stakeholders involved in your incident response plan. It is important to organise a dry run of of your incident response plan to simulate how an incident or breach will impact your organisation. A drill will expose where the plan needs to be modified, what communication and training is lacking and how equipped your staff are to manage an incident. The engagement of external stakeholders is invaluable as you need to be sure that they can be relied on if an incident was to take place. The incident response plan simulation is a perfect opportunity to make improvements. Ideally undertake a gap analysis on foot of this exercise.
Raise awareness among employees
Ensure that all employees within the business have up to date training in data protection. This can be easily achieved through group discussions, workshops, webinars, training with internal experts or attending an external training event. All employees need to be aware of the data protection policies and procedures within the organisation and realise that each team member plays an important part in data protection.
System to centralise your efforts
It is integral for any organisation to have a system in place for the monitoring and tracking of data protection efforts prior to a breach occuring. This effort can be tracked through data mapping, policies and procedures and identification of steering committees and incident response teams. A centralised system means that projects involving multiple team members can be catered to with the advantage of task and deadline assignments. Metrics and reports can be pulled up from across the organisation and dashboards give you an overview of your progress at a glance.
The costs associated with responding to a breach may not have been included or considered, or have been underestimated when preparing budgets for the year ahead. It is imperative that the Data Protection Officer (DPO) or Privacy Program Manager makes sure that they have the necessary resources to train employees, ensure effective systems are in place, facilitate the creation of policies and procedures and, should a breach occur, that the resources can meet the requirement of effective engagement of the incident response plan. Cyber liability insurance cannot be overlooked in this regard.
WHAT TO DO AFTER A BREACH IS DETECTED
When a data breach occurs there could easily be panic within the organisation. Hopefully you will have an incident response plan in place to facilitate a calm organised approach to dealing with the incident. Below are steps to take to steer your organisation through a data breach or incident.
Engage the data breach response plan
Ensure that this plan is proactive and not reactive. The creation of the plan will entail investigating and researching the legislative requirements around breach management including the time frames for notifications to Supervisory Authorities and Data Subjects affected.
1) This plan should highlight who the data privacy team/incident response team are within the business, together with their department information and contact details.
2) Detail the procedures to follow when an incident or breach is detected including how that breach is analysed and investigated by the team responsible.
3) The plan should include a communication strategy for the notification of breaches to your Supervisory Authority and any data subjects affected.
4) Possible remediation measure which could be initiated by the business should be highlighted within the incident response plan.
5) If there is insurance in place to cover such breaches the information in relation to the insurance policy should be detailed within the plan.
Through implementing an effective investigation of the incident in question you can establish what data has been compromised and the time frame during which the data was compromised. This will allow the investigative team to uncover the root cause of the breach and identify any other existing risks or vulnerabilities which had not previously been identified by the organisation. This new information allows mitigation plans to be drawn up and solutions to be implemented minimising the risk. This investigation should help the team to determine the source, scope and sensitivity of the data compromised.
Establish whether a notification requirement is necessary to any of the data subjects whose data has been compromised during the breach. If the breach has a high risk of affecting individuals’ rights and freedoms, you must inform those individuals without undue delay. Your organisation should issue a notification to the relevant Supervisory Authority within 72 hours of breach detection regardless of the level of risk involved. It is important to be familiar with what details need to be included in the notification to either the Data Subject or the Supervisory Authority.
Develop a comprehensive communication plan to be actioned as part of a breach response plan and stick to this approach. This communication plan should ensure that the business is prepared to make responses to media on foot of incidents or breaches occurring. Determine the methods of communication within the strategy so that no decisions need to be taken is a reactive manner. Any messaging that will be sent to Data Subjects affected by the breach has to be timely, carefully constructed, honest and transparent, and uphold the integrity of the organisation. Demonstrating the measures your organisation has implemented will help to reduce the impact of the breach on your reputation. A papertrail of your pIans and the thought process behind them are important to show your Supervisory Authority that you have done due diligence on your data protection governance to achieve compliance. Good communication promotes stronger and better relationships with key stakeholders.
Containment and remediation plan
Once you have dealt with the immediate factors entailed in a data breach, it is time to look at your organisation to examine how to contain this incident and put safeguards in place to protect the organisation from an incident of this nature taking place again. A plan to repair the issue which led to the data breach needs to be escalated and a report or briefing needs to be disseminated to all relevant stakeholders as they will have concerns and need to know the extent of the situation and how progress is coming along on the remediation plan. The remediation plan should also take into account the mitigants which which will be employed to minimise the impact of the breach on the Data Subjects concerned.
A record should be maintained of all data breaches and incidents which have occured within the organisation. This is necessary from a regulatory perspective but is also an exercise in best practice for your organisation. This record can be utilised as a resource by the business from a lesson learned perspective and in assisting the adoption of adapted or new operational measures and processes in the future.
Spearline is an award winning software company who have crafted the leading compliance solution Spearline Data Protection with the user at the centre of the design. Whether you need to demonstrate compliance, safeguard your reputation or increase trust from your customers and employees, this is the optimum solution for your organisation.
Our solution is a central place to operationalise your risk, compliance and privacy programmes. With built in features to maintain data inventories, prepare for regulatory audits and respond promptly to requests or incidents, our software provides you with a robust audit trail which will help you reduce risk and extent of a fine. We have ability to cater to all company structures from startups to enterprises.
In addition, you can add on Spearline Managed Service as the perfect solution for organisations who don’t have the resources or the expertise to handle GDPR compliance or who want to enhance their data protection team. This service solves staffing difficulties with the headache of compliance outsourced to Spearline specialists. This is a cost effective way of ensuring that you become and remain compliant. Most importantly, it gives you the freedom to focus on your business and not worry about compliance and the hefty fines that may be imposed for non-compliance.
To find out more about this world class software visit www.spearline.com, email firstname.lastname@example.org or call 1800 851266.
Fiona Ryan is a certified Data Protection practitioner with a background in the legal, financial and governance sectors. She is a qualified financial adviser with an LLB in Irish Law and Masters in Corporate Governance and Management. She is also a Chartered Secretary and a member of the Institute of Bankers and ICSA (Ireland). Fiona heads up Spearline’s customer engagement providing our customers with invaluable advice and expertise on their GDPR compliance journey. Get in touch with Fiona by phone 1800 851266 or email email@example.com