GDPR Breach Guidelines, in May 2018. This was implemented to protect personal data from misuse, illegal disclosure, and damage. What is a data breach? When should you report a breach? What practical steps can each employee do, to prevent a breach from happening?
To define what a breach is, GDPR states. A personal data breach is a breach of security that leads to “to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
For example, you may lose your device. Your computer, your mobile phone or tablet, for instance. This can be a source of a data breach. Another is when you sent an email to the wrong addressee. Or, it could be an email phishing attack.
Thus, anything that exposes or discloses personal information to the unauthorized. What should you do then, if a breach occurs?
Report A Breach
Personal data breach details include exposure, destruction, and loss of access. Once you are aware that a breach occurred, consider some factors.
First, consider if the breach can result in risks to people. Second, weigh if the breach risks the EU citizens ‘rights and freedom’. Also, consider the probability and intensity of the breach. Also, remember that you do not have to report ‘every breach’.
So, what factors can contribute to making a breach reportable?
- Exposure of sensitive personal data
- Theft of a device with personal data
- Unauthorized access to personal data
Besides, what makes it unreportable? It is when the device is highly encrypted. Considering that the key is not disclosed and compromised. Thus, in this case, the controller may not report it.
In a high-risk case, notification to the ‘data subjects’ must be done. Take note, this should be done without undue delay! These individuals should know that they are affected. They should also know what safety measures to do. This adds to their layer of protection.
The Duration When To Report A Breach
You are only allowed to report the breach in 72 hours! Is that a seemingly short period?
However, this is not very blunt. The timer starts when the data controller is aware of the breach. Also, the fact of being aware is not enough to call it a ‘breach’. Further investigation is needed. And when reasonable evidence states the breach, the clock then starts to tick.
Moreover, you can do this in phases. Suppose a breach is probable. You can report this. But, you can also state that further investigation is needed. Don’t worry! The clock does not yet start to tick, you can investigate further. This is acceptable to the GDPR.
For example, the investigation results in a false claim. Then, you can report it back and cancel the notification.
Prevent A Breach
Report any lost device immediately. Second, always double-check the ‘recipient’ before sending emails. Third, when sending to multiple addresses, use the BCC instead of CC. This avoids the exposure of email addresses.
In conclusion, cybersecurity should be everyone’s responsibility. We can always take practical steps for prevention.