With new regulatory requirements for data security introduced by the GDPR, ignorance of the risk of data breaches is no longer an option. Having appropriate controls in place to proactively detect and report breaches is now essential.
While in the past organisations may have been tempted to plead ignorance of a breach or instigate a cover up, the possibility of incurring a huge GDPR fine means that these attitudes need to change.
What does the GDPR say about breach reporting?
Under Article 33 of the GDPR, all organisations that process any form of personally identifiable information (PII) are required to have appropriate procedures in place to detect and investigate breaches as well as report them to a relevant supervisory authority within 72 hours. In cases where there is significant risk to individuals, those affected must also be notified.
A breach encompasses any destruction, loss, unauthorised disclosure of or access to personal data. Under the GDPR, it will be mandatory to report all personal data breaches that are likely to result in ‘a risk to people’s rights and freedoms’.
Upon providing initial notification of a personal data breach to the appropriate authority, such as the ICO in the UK, a compromised organisation must make efforts to submit information including:
- The nature of the breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
- The likely consequences of the breach
- The measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
- The name and contact details of the data protection officer or other contact point where more information can be obtained
Failure to comply with the GDPR’s reporting procedures, or any other aspect of the regulation, could result in an offending organisation receiving a fine of €20m or 4% of annual turnover, whichever figure is higher.
How do the GDPR’s data requirements differ from the DPA 1998?
The stricter data protection requirements of the GDPR mark a departure from existing legislation, the Data Protection Act 1998, which is less stringent and advises breach reporting as best practice. This has led to some organisations concealing breaches in an effort to preserve their reputation.
A recent hack on online taxi company, Uber, demonstrates the effort that some organisations will go to limit the damaging fall out of cyber-attacks. In 2016, Uber failed to report a breach that resulted in 57 million of its users having names, email addresses, phone numbers and driving license details compromised by cybercriminals. Instead of disclosing the breach to the authorities, Uber is alleged to have paid $100,000 in hush money to the hacking group responsible.
Many other organisations simply don’t become aware of breaches until it is too late. Recent high profile attacks on TalkTalk, Tesco Bank and Equifax led to vast swathes of customer data being compromised, and such incidents have heightened public anxiety over data security.
Preparing your organisation for the incoming GDPR breach reporting requirements
With a wide range of sophisticated cyber threats targeting organisations on a daily basis, breaches have now become an operational reality, something that is acknowledged by regulators.
To demonstrate compliance with the GDPR, however, it is essential to adopt a proactive approach to security by implementing measures to assess and evaluate the effectiveness of security controls plus detect and investigate breaches.
How Redscan can help
Through proactive network and endpoint security monitoring, our award-winning ThreatDetect™ MDR service can help to provide all the information your organisation needs to facilitate rapid breach identification, investigation and reporting. By utilising cutting-edge detection technology and industry intelligence, our 24/7 security experts work as an extension of your in-house team to rapidly identify threats and breaches and provide the reporting and remediation guidance needed to address them.
Redscan also offers a range of other services to support your organisation’s GDPR preparations. A Data Readiness Assessment, for example, includes a consultation workshop, gap analysis and onsite assessment to help you to quickly identify the extent to which your organisation is compliant with the regulation in its entirety.
Additionally, Redscan’s extensive range of cyber security assessments, including penetration testing and red team operations, provide an effective way to test your defences against the latest cyber threats and eliminate vulnerabilities before they can be exploited by cybercriminals.