Last week we talked about how businesses should protect their personal data through their technical and organisational measures. This week we will look at how your business can prepare for and create a contingency plan in case a data breach occurs.
In recent weeks there have been a number of high profile data breaches in the news that are significantly impacting those businesses despite their size and scale. No business is immune to the devasting reputational impacts of a serious data breach.
When GDPR comes into force on 25 May, businesses will be required to notify the Data Protection Commissioner of a data breach if it poses a risk to the privacy rights of individuals. Also, if that breach causes harm to individuals such as identity theft or their data being harvested, the business must notify those individuals as well. Under GDPR individuals can sue for material and non-material damages if it is found that the data breach impacted them.
It is crucial to prepare for and have a data breach contingency plan in place now to avoid last minute panic or bad decision making during a crisis.
Step 1: Create a response team
Consider who will form the response team. What will their role be? Ideally you need people who are calm under pressure and who are great problem solvers to be able to manage the data breach. You should have someone from your IT department or outsourced IT provider as their knowledge and expertise in data breaches will be needed.
Step 2: Create a contact list for the response team
Create a contact list for those who are on the response team, who their stand-in person is if they are on leave or out sick. This contact list should be shared with all people within the business so that they can report all data breaches to the response team for assessment and management.
Step 3: Identify and list key experts
The contact list could include the details of the following key experts who will your help your business respond to and navigate the data breach:
- Forensic IT support – they will be needed to investigate the nature and scope of the data breach and what level of impact it will have on the privacy rights of individuals
- Legal counsel with data protection expertise – they can advise on how to manage the legalities of the data breach and to manage any potential claims
- PR communications person – they would need to be able to both manage media queries and ensure that everyone within the business gives consistent messaging to key stakeholders, customers and the public
It should be noted that you do not need these individuals on an on-going basis but as a back-up in case of an emergency, but you should ensure that they are contactable on a 24/7 basis if needed.
Step 4: Assess the scope of the breach and document its impact
It is important to prepare guidance on assessing the scope and impact of the data breach which will be conducted by the response team and key experts if needed. It is essential that all data breaches are documented and analysed to minimise future data breaches. For example, small data breaches that pose little or no risk to the privacy rights of an individual are your warning signs that tighter technical and organisational processes are needed to ensure a bigger data breach does not happen.
Step 5: Communicate with the Data Protection Commission
If the data breach poses a risk to privacy rights and freedoms of individuals and you become aware of this, you must report it within 72 hours. The contingency plan should document how this will be communicated to the Data Protection Commission within that timeframe.
Step 6: Create your data breach communication plan
Prepare your communication plan, which should include the following:
- Reporting the data breach to individuals who are impacted by the data breach
- Notifying the wider public through various printed and digital channels
- Ensuring that the messaging is consistent
- How to manage media queries. It can be useful for key people in the response team to be trained in managing media queries
- Consider if your business will need to implement a dedicated customer service hotline in case of a significant data breach
Step 7: Do a test run for a data breach
Many companies do fire drills so that all staff know what to do in case of a real fire emergency. It is strongly recommended that your business prepares for a data breach drill and test your contingency plan for its effectiveness and fine tune it so that you can be as prepared as possible if a data breach does occur.
GDPR will be one of our main topics of discussion at this year’s SFA Annual Conference so join us on 24 May and book your place now.
If you would like more information on GDPR or to discuss your requirements further, please contact Helen at SFA on 01 6051668 or at firstname.lastname@example.org or visit our GDPR section on www.sfa.ie/advice