GDPR breach notification will become the duty of all businesses from May 25th 2018. This means, that within 72 hours of detecting a data breach, you must inform the supervisory authority.
What exactly does this mean?
Under GDPR breach notification, a personal data breach is defined as – a security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A very long-winded explanation! But in simple terms, if your business has a data breach that includes any personal data such as; name, address, bank details, employee number, national insurance number etc. Then it must be reported to the ICO.
There are certain caveats. You only have to report the breach if it is likely to result in a risk to the rights and freedoms of individuals. If your data breach is in detriment to individuals. i.e. That may result in discrimination, damage to reputation, financial loss, loss of confidentiality, or other economic or social disadvantage.
Still confused? Well join the club and the industry in general! Because quite frankly – nobody really knows – all you can do is prepare for it and put systems in place to protect yourself.
What should a GDPR breach notification look like?
As mentioned, you have 72 hours from the time the breach was discovered. This is worrying because in EMEA, it takes an average of 469 days to detect a breach!
The details you must include in your Data protection breach notification form are:
1. How many individuals are affected
2. How many personal records have been accessed
3. The name and contact details for the Data Protection Officer (if you have one)
4. What the consequences of the breach are
5. A description of the measures taken to deal with the breach and where appropriate, the measures taken to mitigate any possible adverse effects.
From an IT perspective, we are really concerned with number 5. This means, you need to know the following information:
1. What data set has been breached?
2. Where is that data set stored and is there any other copies of it?
3. How the breach occurred?
4. How you found the breach?
5. How are you going to stop any further breaches?
The problem, is where are you going to get this information from. Yes, you can check your firewall logs. However, if the breach came into your network as part of a phishing exercise then it will have bypassed the system logs. And you won’t have any information. If you have been breached as part of a disgruntled employee attack, who has copied the data from a spreadsheet and changed its name. You still won’t know as it could be saved onto a USB stick or sent to cloud storage account or emailed to a personal address. Each of these actions will bypass your Firewall logs and possibly any Data Loss Prevention system (DLP)you have.
The only way to truly find out how your data breach happened and to have a full audit log, is to install some software. For many years now, insider threat protection software has only been available to the corporate/enterprise markets, due to cost. This means SME’s, Charities and lots of other businesses have been unable to afford them. This is now changing and we can thank GDPR for that.
Now, your business can have a full audit trail on every piece of data within your network . You will be able to see if your employees are acting out of character, with in-built behaviour analytics. With this software, if you are breached you will be able to see where the breach happened and what data has been affected. You can then make an informed decision on how to mitigate further risks based on exact data, not guesswork.
We have Unleashed, three different Insider Threat Solutions. Dtex Systems, ObserveIT and ZoneFox. Each manufacturer will act slightly differently and are designed to meet GDPR breach notification compliance.
If you are still confused? Or more confused after reading this article then contact Unleashed for an initial chat? Hopefully our straight talking will help you.