What is a data breach and how do I report it under GDPR?

If you’re a casual observer of data privacy issues, you might assume from news reports that large-scale data breaches are happening every day. While the problem might not be quite that widespread, the concern is very real.

A recent Pew research study found that at least 64% of Americans have experienced a major data breach. Australia recently reported 63 data breaches over a period of just six weeks. A 2018 hack at a UK electronics retailer may have impacted as many as 10 million consumers. Clearly, this is a widespread issue, and it’s not going away any time soon.

What is a data breach, exactly?

The word “data” covers a lot of territory on the web, so determining what constitutes a data breach can be a little tricky. The European Union’s General Data Protection defines personal data breach as: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

With that in mind, we can reasonably define a data breach as a security incident in which information is accessed without authorization. The public image of data breaches tends to involve malicious hackers prowling the internet for sensitive information. That is sometimes the case, but breaches are just as likely to be the result of human error or internal mishandling. The aforementioned UK breach, for instance, was the work of hackers out for personal banking information, while more than half of the Australian cases were traced back to organizational mistakes. Whatever the cause, these breaches put consumers at risk and violate the trust between an organization and its users.

Reporting Data Breaches

While the GDPR leaves the meaning of data breaches fairly broad, it’s much more specific about how to handle them. Article 33 of the GDPR is titled “Notification of a personal data breach to the supervisory authority,” and it lays out the proper data breach procedure in no uncertain terms. Data controllers must report any breach to the proper supervisory authority within 72 hours of becoming aware of it. If the breach is discovered by a data processor, the data controller should be notified without undue delay.

The notification to the supervisory authority must include several specific pieces of information, including:

• The nature and scope of the data breach, including when possible categories of data, number of data subjects, and number of personal data records involved
• Contact information for the organization’s data protection officer or other contact point
• Potential consequences of the breach
• What the controller intends to do to address the breach and limit the threat to data subjects

Organizations that fail to report a data breach in the allotted 72-hour time frame do have a chance to explain reasons for the delay, but may still face fines and penalties.

Developing a Data Breach Response Plan

If there’s one thing the past decade of data protection history has taught us, it’s that no organization is safe from data breaches. Even if you feel confident in your company’s security, it pays to be proactive by having a data breach response plan in place before it becomes an issue. The specifics of your response plan will vary according to the needs of your organization, of course, but the Office of the Australian Information Commissioner has compiled a useful checklist that serves as a solid guideline for most. Be sure that your response plan includes:

• Your organization’s definition of a data breach and how your employees can identify one
• Clearly defined procedures and a chain of command for reporting a data breach
• The roles and responsibilities of each member of your data breach response team
• Plans for handling various kinds of data breaches with various levels of risk involved
• Ideas for assessing the success or failure of your mitigation efforts
• Plans for notifying affected data subjects, law enforcement, and supervisory authorities about the breach
• Full documentation and record-keeping processes
• Lists of your post-breach obligations under insurance policies, service agreements, and any other third-party contracts
• Plans to investigate, identify, and eliminate any security or procedural lapses that led to the data breach
• Regularly scheduled tests and reviews of your data breach response plan

Obviously, there’s a good deal of work involved with getting your organization prepared to deal with a data breach, but it’s all work that’s well worth doing. It may help to think of data breaches as a “not if, but when” situation. By taking preventative measures while also assembling a detailed plan for dealing with the aftermath of a data emergency, you can help minimize the potential impact on both your users and your organization.