How to respond to a data protection breach under GDPR
If your organization collects or uses consumer data from European Union (EU) residents, the General Data Protection Regulation (GDPR) applies to you. In particular, the GDPR plays a significant role in determining what organizations should do in the event of a data breach. By knowing more about the GDPR and how you must comply with it after a data breach, you can better protect your organization's and customers' sensitive information.
Find out more about what the GDPR is, its main requirements for organizations after a data breach, and how you can prevent data breaches from occurring in the first place.
What is the GDPR?
The GDPR is the EU's data privacy and security law that sets requirements that organizations need to follow when collecting data from EU citizens and residents.
The GDPR has been in effect since May 25, 2018, with the EU using it to make a stand on the importance of data security and privacy in the digital age. Since more people are giving their personal data to organizations through cloud services, websites, and more, the EU created the GDPR to clearly define how companies should handle sensitive user information. When an organization fails to meet security and privacy standards set by the GDPR, it can face harsh fines and penalties.
Since organizations regularly gather personal data from users and customers, the GDPR puts regulations in place to better protect this data from bad actors. By following the GDPR, companies ensure they've collected this information legally. The GDPR also requires organizations to protect the data they gather from exploitation and misuse. Additionally, organizations must respect their data owners' rights.
Standards laid out around personal data, consent, and privacy in the GDPR aim to provide EU citizens with greater control over their personal data. Another goal of the GDPR is to simplify processes for businesses. Overall, there are numerous rules and standards around personal data, consent, and privacy in the GDPR.
Does the GDPR set rules for data breaches?
Due to the frequency of data breaches, the GDPR has a few rules for how an organization should respond to a data breach. The GDPR's breach rules attempt to improve reporting on data breaches to ensure customers and relevant authorities are fully aware of a breach as quickly as possible.
These rules also aim to make organizations resolve data breaches quickly to prevent further damage and future breaches. The GDPR's standards and regulations apply to data controllers that handle sensitive information, with the data controller being an organization that stores personal data.
What to do after a data breach
Since the GDPR applies to data breaches, you'll want to know how to stay compliant if an incident occurs. When a breach happens, the GDPR often requires that an organization report the incident and contact affected data subjects. An organization should then repair vulnerabilities so the breach can't do more harm or reoccur in the future.
Learn more about how to respond to data breaches while following the GDPR below:
1. Report the incident
As soon as you become aware of a data breach, assess the situation's severity and see if personal data has been stolen or exposed. The GDPR requires you to make a report to a competent supervisory authority within 72 hours of discovering the breach. An organization's report to the supervisory authority should include the following:
Nature of the data breach
The report must include the personal data breach's nature. Details about the breach should include the approximate number and categories of data subjects and personal data records affected by the breach.
Contact point information
The incident notification should also communicate the name and contact details of the data protection officer or another point of contact. This ensures the authority and other parties can request more information as needed.
Consequences of the data breach
Another primary element of a personal data breach report is an outline and review of the breach's likely consequences.
Plans to address the data breach
The final section of a GDPR data breach report must describe the measures the controller has proposed or taken to address the personal data breach. Where appropriate, this section should also include information about measures designed to mitigate the breach's potential adverse effects.
While you'll usually have to report data breaches, organizations that meet the requirements for an exemption won't need to make a report. If an organization can show a data breach is unlikely to put people's rights and freedoms at risk, it won't have to report the breach.
Note that organizations must also use the accountability principle to back up their claims of unlikely risk. Though exempt organizations won't have to report data breaches to a supervisory authority, they still need to document it in their incident report register.
2. Contact affected data subjects
After an organization reports its personal data breach to the required supervisory authority, it usually has to contact the affected individuals. When an organization contacts the relevant individuals, they'll need to make them aware of the breach.
The GDPR mandates that a controller communicate the breach if it poses a high risk to natural persons' freedoms and rights. The regulation also makes it clear that this notification must be made without undue delay. In the notification to the data subject, the organization will need to describe the nature of the personal data breach in plain and clear language.
This notification also has to cover some of the various measures and information contained in the incident report. The sections of the data report that the organization must communicate include contact point information, data breach consequences, and plans to address the data breach.
While organizations often have to contact affected data subjects, the GDPR has a few conditions where organizations don't have to alert affected individuals. If an organization meets any of the following conditions, they won't have to contact affected data subjects:
Use of effective protection measures
If a controller has implemented organizational and technical protection measures and applied those measures to the personal data impacted by the breach to ensure it's unintelligible to unauthorized users, it won't have to report the breach. The GDPR notes that encryption is a particularly effective protection measure to make data unintelligible.
Unlikely materialization of high risk
When a controller has taken steps to ensure high risks surrounding its data subjects' rights and freedoms won't likely materialize, it won't have to contact its data subjects.
Disproportionate effect
If contacting affected data subjects would involve disproportionate effort, controllers aren't required to contact data subjects individually. However, the organization is still required to publicly communicate the breach to data subjects. This public communication must also be as effective as privately communicating the information to the data subject.
3. Repair the breach
Alongside reporting the personal data breach to a relevant authority and contacting affected customers, organizations must also make repairs following the data protection breach. While an organization reports the breach and contacts customers, they'll want to repair the breach to ensure bad actors can't do more damage. The first step to resolve a personal data breach at your organization will be to identify the breach's source and find out how it occurred in the first place.
With the breach identified, your team can begin to update firewall rules and patch software. Personnel can also start creating additional safeguards to prevent the breach from occurring at your organization again.
After a breach occurs, part of the repair process will often include your team reaching out to third-party providers to receive advice about handling the breach. When your team has assistance from your third-party service provider, they can more easily spot the hosted infrastructure's vulnerabilities and fix them. Alongside third-party provider support, you'll likely want to update your infrastructure and affected software quickly to prevent the breach from happening again.
How to avoid future data breaches
When you want to comply with the GDPR and avoid fines, one of the best ways is to prevent data breaches from occurring in the first place. Since the GDPR requires organizations to protect user data privacy, taking steps to stop data breaches is essential. By better guarding your customers against data breaches, you can fully comply with the GDPR's laws.
As you attempt to protect your customers and organization from data breaches, review some of the top tips for avoiding future data breaches below:
1. Create an employee security awareness training program
One of the biggest security threats to organizations is their employees. While most employees won't try to harm your company and knowingly allow a data breach, they can make mistakes that lead to compromised data. For example, an employee might download a virus by accident after opening a suspicious email. To prevent such errors, implement employee awareness training that covers cybersecurity standards and GDPR compliance.
Creating a security awareness training program can help you routinely educate your employees on keeping data safe. Instead of only making employee training a one-time occurrence, it's best practice to schedule them monthly or quarterly. By constantly reinforcing security standards, you're more likely to change employee behavior and protect your organization from data breaches. Additionally, you might want to monitor your employees to evaluate your training program's effectiveness and areas where you can improve.
2. Limit employee access to sensitive data
When you handle sensitive data, you'll need to limit access to it from your employees. While data breaches can come from external bad actors, they can also come from disgruntled employees. In addition to the danger of disgruntled employees, giving more employees the ability to access your organization's sensitive information can raise the chances someone clicks on a harmful link or falls for a scam that leads to data loss.
If your employees don't need to access sensitive data to do their job, you should limit them from viewing it. Doing so reduces the risk of data breaches, whether it be from an employee making a mistake or a staff member wanting to harm the company. An organization that's attempting to comply with the GDPR regularly partitions off its data from employees who don't need it to better protect the privacy of its data subjects.
3. Update software
One of the simplest ways to protect your customers' data and your organization from data breaches is regularly updating your software. When your network and applications aren't updated and patched, they're more vulnerable to attacks. As a result, organizations that don't update their software as soon as possible open themselves up to data breaches.
An organization serious about keeping its sensitive data secure will monitor its software and operating systems, making sure to install updates and patches as soon as they're available. It's also smart to use software to automatically check if your programs are updated and patched, helping you take action fast when your systems or applications are outdated. Regularly updating your software is one of the most cost-effective and straightforward ways to prevent data breaches.
4. Create a data breach response plan
Although you can take multiple steps to protect your sensitive information, data breaches can still occur. When a data breach happens, you need a data breach response plan to minimize damage and maintain customer confidence. This sort of plan will give your employees a roadmap they can use in the event of a data breach, and the order in which they should take action.
Alongside laying out the appropriate actions for data breaches, the plan should identify who's responsible for various tasks related to mitigating the breach. When everyone knows their specific responsibilities, your company can respond to a data breach quickly and prevent it from doing more damage. A plan will also help you create a breach register to document the data breach and more quickly send a report to the relevant GDPR authority.
5. Ensure third-party vendors comply with cybersecurity standards
Most organizations partner with third-party vendors to improve their business or make various operations possible. Before working with any third-party vendor, it's critical to know their reputation and if they're committed to security. Even when you trust a vendor, you should still limit access to the sensitive data they can view.
When a third-party vendor needs to access your sensitive data, it's critical to ensure they comply with cybersecurity standards and regulations, such as those from the GDPR. While these vendors access your data, you'll want complete transparency from them to see if they actually need the data and aren't misusing it. Conduct background checks on vendors to verify they have an exceptional security track record. Before you do business with them, check if they comply with privacy laws and take cybersecurity seriously.
6. Enable and enforce adoption of secure software
In the digital age, software is the backbone of many organizations' operations, because it makes collecting, storing, handling, and analyzing data much easier. Prevent data breaches by ensuring your data has secure tools and features that block cybersecurity threats. For example, a secure software program might provide your organization with controls to prevent data leaks and encryption keys to stop hackers from viewing stolen data.
The Content Cloud is one of the most secure platforms on the market today. Box regularly helps companies make their data more secure and comply with various regulations, such as the GDPR. Box Shield is one of our security and compliance solutions that helps ensure organizations have the tools to guard against data breaches and maintain customer privacy.
If you're interested in upgrading your security and better complying with the GDPR, take a moment to review some of the top features Box offers:
Simplified governance and compliance
Since you must comply with the GDPR, we've created governance and compliance tools to make it easier for you to meet the GDPR's standards. With Box Governance, you can set customizable policies designed to assist you in disposing of, preserving, or retaining sensitive data.
Box Zones can help you meet international data residency requirements, such as those set by the GDPR, so you can meet the strictest global privacy and compliance standards and avoid paying fines.
Full visibility and control
Having greater visibility over your employees, third-party vendors, and users can help you catch issues earlier. Box offers complete audit trails to give you insight into what's happening inside and outside your company. With our controls, you can quickly stop suspicious activity before it results in a breach. Since Box utilizes machine learning, it automatically detects risks and informs you, giving you greater visibility over your entire organization.
Frictionless security
The frictionless security tools Box offers provide you with built-in controls to protect your content. For example, our controls feature strong two-factor authentication and granular permissions.
Additionally, you can use our controls to encrypt files in storage or transit with AES 256-bit encryption. Box KeySafe makes it easy to manage your encryption keys and ensure only authorized users have access to sensitive data.
Seamless integrations
The Box Trust ecosystem ensures our platform and tools can integrate with the best information governance and security partners. By partnering with exceptional security and compliance companies, we enhance your entire tech stack's cybersecurity and help your organization comply with the GDPR.
Automated classification
With Box Shield, you automatically classify personal identifiable information, custom terms within files, and intellectual properties. This automatic classification is based on your policies, ensuring you can receive the appropriate classification and protection for your data. Since Shield helps automate the classification process, it frees your staff up for other tasks and keeps your data secure even when your business scales.
Learn what Box has to offer
Learn what Box has to offer
Now that you know how to prevent data breaches and respond to them while complying with the GDPR, you might be interested in learning more about how Box can improve your data security. With all of our security and compliance solutions, we protect your content and better connect your business. Since our solutions are based in the cloud and come in a comprehensive platform, you can reduce costs by eliminating redundant apps and the need for on-premises storage solutions.
Find out more about what Box has to offer. If you want to know more about how Box can help, start your free trial or contact us for more information.
**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.