EU GDPR: There’s been a personal data breach. Now what?

You’ve seen the headlines. You’ve received the countless emails. You know the increasing value of personal data and you may have even been involved in preparing for the General Data Protection Regulation of the EU (EU GDPR) within your organization. As businesses around the world grapple with the requirements of EU GDPR compliance, here’s what you need to do in the event of a personal data breach.

Notify the Data Protection Officer

The Data Protection Officer (DPO) in your company should be familiar with all aspects of the organization’s IT and data practices. In the event of a personal data breach, they must assess the severity of the breach (incl. the risk to the rights and freedoms of natural persons), the potential consequences as well as serve as liaison for the Supervisory Authority.

Assess the requirements

You are obliged to notify the Supervisory Authority not later than 72 hours after having become aware of a personal data breach. However, if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, you may not be required to do so. It should be noted though, that you may be required to justify this decision, which is why seeking the advice of the Data Protection Officer is essential.

Investigate the personal data breach

It is key that you are able to provide as much relevant information as possible regarding the personal data breach. Consider the information below a priority:

  • Define the nature of the breach:

Who accessed what, and when?

What is the number of personal data records concerned?

How is that personal data being used?

Who are the impacted individuals?

  • A record of work that has been done to prevent a breach
  • An estimate of the impact of the breach
  • Forensic details
  • Details of a mitigation procedure or remedial plan

Decide next steps

Based on the outcome of your investigation and in conjunction with your Data Protection Officer, you will decide whether notifying the Supervisory Authority is necessary. In addition, you will need to advise key stakeholders within the business as well as users who may be affected by the personal data breach. Most important of all is to outline the steps the business needs to follow to contain the personal data breach and prevent further access to personal data.

Communicate

If needed, notify the Supervisory Authority and follow the required actions. Under the circumstances, you will also need to notify affected users. In order for this communication to be compliant, it must include:

  • The name and contact details of your Data Protection Officer (if you don’t have one, a contact from whom information can be requested such as a Systems Manager or Compliance Officer/Legal Counsel).
  • A description of the likely consequences of the personal data breach.
  • A description of the measures taken or your plan to deal with the personal data breach, including any measures taken to alleviate the effects.
  • Provide clear and prompt instructions to all internal stakeholders to mitigate the impact of the personal data breach. This communication should address perceived business risks including operational, system and logistical implications of the investigation.

The above guidelines give a high-level overview of the steps that should be followed in the event of a personal data breach. But the best way to ensure EU GDPR compliance is to properly prepare your teams.

Lobster Ink’s practical EU GDPR compliance training for Managers and Associates comprises two comprehensive training solutions, covering the relevant knowledge and behaviors to protect personal data. Inquire today.


Originally published at lobsterink.com on November 7, 2018.