Insurance is something you buy but hope you never need. In the event of an incident, you want to have a smooth process in place so that you can get back up and running as quickly as possible.
So, alongside your compliance procedures, it’s also important to put a process in place for any potential breach and keep it up to date over time. Even organisations with the best security and privacy preparations in place will face incidents, due to the sheer volume of new security flaws being discovered.
What should your data incident report cover?
A data incident and breach notification assessment should help you understand GDPR’s requirements around any breach that would affect customer data. Every country in the EU will have their own interpretation of the rules and timescales around breach notification – the UK Information Commissioner’s Office (ICO) requires notification within 72 hours while the Netherlands demands immediate notification. Other countries in the EU have 48 hour notification requirements.
Depending on the severity of a breach, you may need to alert your customers that their records may have been accessed. However, you may not need to do this in all circumstances.
If you are a company with international operations, it’s important to set down what rules you have to follow centrally to meet your own compliance requirements as well as the rules for where your customer data is located. If you operate across multiple countries but store customer records centrally, then you can work with the relevant ICO for where that data is located. If you store customer data sets in each country, then you will have to apply the relevant rules for that country.
Why should you regularly review this compliance reporting?
Data breaches happen all too frequently. Whether it is due to specific attacks that target individuals through social engineering or scattershot spam emails, malware attacks can open up IT networks for hackers to access customer data.
If and when an attack does take place successfully, you should already be familiar with the processes for investigation and notification. Having these steps documented in advance should help you respond calmly to internal stakeholders and to external groups as well. However, you should regularly audit your customer records and your processes to check that those policies are still applicable.
For instance, your data breach policy will need updating if your business starts working with a new supplier and shares customer records with them. Similarly, if there are any changes in internal departments around handling customer data – for example, sharing sets of data with other teams – then this should be noted too. These changes may lead you to update your processes for disclosure or mean you have to increase the number of stakeholders.
Managing any investigation into a breach will be a stressful time. You will have the pressures of communicating with internal stakeholders alongside working with the relevant ICO body and potentially dealing with customers and the media. Getting your GDPR compliance reporting process right at the start will help, but keeping it up to date as your company changes or expands will serve you even better in the long run.
Darron will be speaking at Data Protection World Forum happening 20th & 21st November at Excel London.
Book tickets to learn more from Darron and visit the Qualys team on stand 84.
By Darron Gibbard, Managing Director, Qualys
European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.