How to handle a personal data breach?
The logic of accountability promoted by the new regulations on personal data leads professionals of all sizes to worry about the security of the data processed in the context of their activity. Here is an non-exhaustive list of how to handle a personal data breach?
It is essential to have an organizational and procedural arsenal aimed at dealing with any security incident, of whatever type. From identification to eradication of the threat, everything must be framed and structured within the company to prevent a personal data breach from occurring again.
1. Identifying the data breach and assessing the risk
Launching an internal management procedure is not efficient if the company is not faced with a personal data breach. What is it about? It could be described as a security breach which would lead to “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of personal data”. The security flaw observed can be of any order (logical, physical, or even organizational).
The existence of a security breach therefore reveals several possibilities, including the insufficient protective nature of the measures in place within your company’s information system, or quite simply the absence of technical and organizational measures, which are nevertheless required. for compliance in your country.
To facilitate identification, the company must clearly identify a personal data breach if it wants to put in place the system required by the applicable regulations. The presence of a security incident that does not relate to personal data does not lead the company to apply in your country. For example, a security incident can be materialized by a violation of the rules applicable to the company’s internal processing.
Once the personal data breach has been identified, it is essential to study the risk, the impact that this breach represents on the data of the persons concerned. To do this, the company must in particular take an interest in the type of violation, the degree of attack on personal data (nature of the data affected, volume of data affected), the number of data subjects who would be impacted, the nature of the impact (material, physical or even moral), or to the business sector of the company.
These orientation points will guide the company on the exact nature of the breach (confidentiality, integrity, data availability) and allow the definition of a real procedure leading to the best possible management of the breach of personal data.
2. Set up a procedure dedicated to managing violations
The objective is to define a framework in which will be established how to contain, manage and remedy the breach of personal data.
The procedural management of the violation implies the prior existence of a system of governance, embodied by a group of competent positions within the company, which can be called a “crisis committee” for companies with a larger scale. This group must include all the necessary skills that will facilitate the organization to adopt in the event of a data breach, but also the assessment of the said breach in its legal, technical, financial or even reputational aspects.
Once this backbone has been built, it will then be easy to deploy an internal process specifically dedicated to dealing with the violation, and at the center of which is an action plan. It will determine the roles and responsibilities of each actor when a violation occurs and will set all the tasks to be implemented in the face of this event.
The process must be based on a certain stability over time and must above all include a sufficient number of players: it is indeed essential that it be disseminated internally in order to establish a culture of personal data security. This also involves training the company’s employees on the subject.
3. Document the personal data breach (Internal + External)
The documentation of the personal data breach is indeed carried out at two levels.
Internally first of all, it is a question of recording the event in a register dedicated to this end. When an incident of this type occurs, it is necessary to document at least the facts, the consequences of the violation, as well as the measures taken to mitigate or even remedy this violation.
It will contain all personal data breaches known to the company, including when these are not automatically subject to external notification.
Now generalized to all categories of companies by countries rules and regulations, notification of personal data breaches must be made to the supervisory authority, or even to the persons concerned by the processing of personal data. In which precise case this notification is necessary.
The notification to the supervisory authority must be made within 72 hours of becoming aware of the incident by the data controller, and on the condition that a risk exists for the rights and freedoms of persons. concerned, regardless of its severity. It is therefore essential to have a specific process for data breaches so that the Data Controller is reactive in the processing and reporting of the security incident. In the event that the Data Controller cannot comply with the 72-hour period for notifying the supervisory authority, he must necessarily justify compelling reasons which must be advanced to the said authority.
To support the company in the proper execution of this notification, your government or national data breach cometee provides a form indicating the information required for a complete and compliant notification.
Conclusion on how to handle a personal data breach?
Data subjects must be notified of the breach of personal data as soon as possible only in the event that it represents a high risk for their rights and freedoms. However, the regulations offer the Data Controller leeway with the option of not notifying them of the violation when:
- The necessary technical and organizational measures are taken on the data affected by the violation,
When it appears that the Data Controller has implemented solutions that will lead to no further review of the type of data breaches previously suffered.
- In the same way as the transparency required towards the supervisory authority, the persons concerned must know the content of the data breach (facts and consequences), as well as the measures envisaged and taken to remedy the problem.
In all of this breach management, the external or internal DPO (Data Protection Officer) will have to play a role in terms of internal risk assessment and constitute the contact center for the supervisory authority and the persons concerned. He has a major responsibility in the course of the process and coordinates the steps to be taken by the various stakeholders.
The breach of personal data is the concern of many operational staff, depending on the size of the company, and must be subject to rigorous procedural supervision. Current events show us that known attacks by the largest entities may have affected hundreds of millions of data subjects and concerned personal data of significant weight, and the remediation of these breaches is unthinkable without the establishment of such a process.