19 Jul Top 3 lessons learnt on how to be ready for handle a data breach
Being ready to handle a data breach is a major test for your privacy compliance program. How to limit the risk that data breaches can impair your business?
I had covered in the past in this blog post an outline of obligations applicable in case of data breaches and my guidelines on how to get ready to handle a data breach and limit the risks and potential liabilities deriving from it.
A few months after the applicable date of the GDPR, I believe that it is interesting to cover my top 3 scenarios of data breaches that I experienced assisting clients during this period and some recommendations of best practices:
1. A data breach might come from the past
There is no doubt that that prior to the applicability of the GDPR, there was a more “relaxed” approach to privacy compliance. Indeed, obligations to notify data breaches to the Data Protection Authority and the relevant individuals were in place only in limited circumstances.
However, if a data breach occurred before 25 May 2018 and is still ongoing since personal data that were not meant to be disclosed are still in the availability of the relevant recipient, the issue is whether such data breach now falls under the scope of the GDPR with the relevant obligations.
Once a potential data breach is identified, you should be ready to assess on whether it has to be notified to the competent Data Protection Authority and the affected individuals. Indeed, with reference to the events of the past, it is likely that the data breach does not pose any risk for individuals as for instance either data are no longer relevant or adequate security measures have been adopted after the disclosure to protect data.
ACTIONS: The matter and the actions to be taken shall be reviewed on a case by case basis. But it is important that such events are mapped as part of the data mapping exercise run in order to make the company compliant with the GDPR. And such data mapping also covers the review of the measures adopted following the data breach to assess whether a notification will be at any time needed.
The scenario is summarised below in my video as part of my videoblog Diritto al Digitale
2. A data breach might come from your employees’ “standard practice”
A quite common scenario is that employees send company documents to their private email accounts in order to work during the week-end without the need to be connected to the VPN of the company. This is a very “innocent” conduct which means that no employee will ever notify internally such conduct as a data breach.
However, if company documents containing personal data are sent to private email addresses, they fall out of the control of the company. This means that personal data contained therein
- will no longer be protected with the company security measures and might be disseminated to third parties with no control by the company;
- will not be mapped and tracked by the IT systems of the company; and
- cannot be cancelled on the expiry of the relevant retention period and on the contrary it is likely that, even if an employee leaves the company, data will be on his inbox forever.
ACTIONS: The measures to be taken need to be proportional to the level of risk deriving from the data processing activity of the company. Therefore a considerably lower risk will arise for instance in relation to a company that mainly performs a B2B business which shall implement more limited measures. In relation to companies that present a medium/high risk of data breaches, it might be recommendable, among others, to
- expressly provide in the internal data protection handbook that company related documents cannot be sent to employees’ private accounts. This is a best practice also to protect the trade secrets of the company, as discussed here;
- block the access to private email accounts, cloud, file sharing platforms and social media by means of the company’s PCs, laptops and mobiles;
- require that company documents are stored on the company’s drive, blocking the possibility to save files on the PCs, tablets and mobiles;
- blocking the USB doors of PCs, allowing to transfer files only to encrypted USB keys that are provided by the company and
- provide that the company’s email address has to be used only for company related activities, preventing their usage private purposes.
3. A data breach might come from your suppliers
It happens quite frequently with suppliers that
- there are long term relationships with which a large number of personal data is exchanged. But when the contractual relationship is terminated such data are neither deleted nor returned to the data controller, and the relevant data processing agreement does not have specific instructions on how to handle personal data on the termination of the contract;
- there is no dedicated channel of communication for data breaches. Indeed, data processing agreements usually provide that data breaches need to be notified to the data controller, but they either do not provide how this has to be done or refer to the generic email address for contractual notifications. This raises the risk of communications that are not timely sent and might be even ignored, if for instance the supplier communicates the data breach to his main contact in the company who is not normally the inhouse counsel; and
- the relationship has not been regulated in a data processing agreement and there is unclarity on the role of the supplier as data controller or data processor in relation to specific categories of personal data.
ACTIONS: It is essential that a very detailed data processing agreement is in place with each data processor in order to be ready to handle a data breach. Such data processing agreement shall, among others,
- provide for the deletion of the personal data received, following the termination of the contractual relationship, unless the data controller requires otherwise;
- have a dedicated email address for the notification of data breaches, with also a dedicated form for notifications in order to ensure that the supplier communicates the information that potentially has to be sent to the data protection authority; and
- depending on the level of risk involved in the data processing activity, include a checklist to assess the level of data protection compliance of the supplier.
None can be 100% ready for a data breach
Hackers are always ahead of their victims and having in place a data breach program able to get your company ready to handle any possible data breach is impossible. However, you shall prove compliance with an adequate level of diligence in order to minimize damages and potential sanctions.
What is your view on the above? You may read on the same topic “What to prevent and react to a data breach under the GDPR?” Happy to discuss and if you found this article interesting, please share it on your favourite social media and register to our newsletter