Data breaches are inevitable. Most breaches are as a result of cock up, rather than conspiracy. With customers becoming more aware of their data protection rights, trust in how a company handles their data is driving choice. How a business responds when the worst happens will have a great impact on that trust, and reports of reaction to the negative publicity around recent breaches involving BA and Ticketmaster support this.
Whether a breach is reportable or not, the nature of the breach and how you respond to it, must still be recorded by the business in order to show compliance with the law.
When managing a data breach, preparation is the key. If your breach is reportable to the regulator, valuable time could be wasted in putting a team together and deciding who should be doing what, rather than managing and controlling the effects of the breach on your business and customers. If you are not in a position to report within the 72 hour time frame, the regulator could take a range of actions, from ordering you to stop processing data for a specific purpose, to issuing a monetary penalty – and both could see a significant cost.
Take our Data Breach Readiness MOT to find out how prepared you are for the inevitable.
You have assembled your data breach response team.
Your response team has the necessary experience across IT, legal, and communications.
You have audited and tested your response plan in the last 12 months.
Your contracts with data processors and key partners include defined responsibilities for a breach situation.
Your processors know who to contact in your organisation when becoming aware of a breach.
You have a clearly identified team lead who will liaise with the regulator and other stakeholders.
You have an inventory of the types and location of the information you store that could be exposed during a data breach.
You have the technology, the people and knowledge in house to conduct a thorough investigation into a cyber security incident.
You have identified what your breach notification process would look like.
You have identified everyone who needs to be mobilised in the orgnisation in the event of a breach.
You know what services you are going to offer to reassure affected parties in the event of a breach.
You have developed a communications incident response plan, including drafts of key messages that will be useful during an incident.
Your chosen response team are experts trained and confident in communicating.
You have conducted a crisis simulation to test how effectively your organisation would manage a breach incident in the last 12 months.
You have conducted employee training to apply data protection best practices in the last 12 months.