What is a data breach?
The GDPR defines a personal data breach as:
‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.’ If like most others, you find this a bit daunting personal data breaches can be broken down into three categories:
Confidentiality – a breach of access to personal data
Availability – loss of access to personal data records
Integrity –unauthorised or accidental alteration of personal data
A breach can consist of all three of these categories so it’s important to quickly determine where your breach falls within these categories. You have 72 hours after a breach is detected to report it, then take the necessary steps to avoid significant, detrimental effects on all parties involved.
How does a data breach effect you?
As stated before, you have 72 hours to notify a breach appropriately and failure to do so can result in a fine up to €20 million or 4% of your global turnover, whichever one is greater.
There are two separate tiers of fines you may receive, each applied to different infringements either contained in Article 83(4) or Article 83(5). The lower tier consists of a fine up to €10 million or 2% of your global turnover, again whichever is greater. So, it important to keep in mind the things taken into account when applying a fine. Below are some of the criteria:
- The nature, gravity and duration of infringement
- The intention or negligence of infringement
- Action taken to mitigate damage suffered by data subjects
- The degree of responsibility
If you would like a full rundown of considerations taken when deciding the levity of fine to assign a specific case of non-compliance take a look here.
The untold cost
With so much awareness about GDPR when it first came into action May 25th of last year, it’s still a concept that very much exists within the public consciousness. Although the general populous may not be aware of all the particulars, what they do know is they have a right to their data being captured, stored and managed in a way that protects their privacy.
The financial implications a data breach might pose to your company may pale in comparison to the backlash your brand might receive from a data breach.
“The reputational damage suffered by companies who fail to protect personal data can translate directly into a loss of business.” – Tim Critchley, CEO of Semafone
A survey conducted by OnePoll found that 86.55% of 2000 respondents stated that they were “not at all likely” or “not very likely” to do business with an organisation that had suffered a data breach involving credit or debit card details.
Time and time again we have seen cases of companies suffering PR nightmares because the proper measures were not taken to ensure a data breach didn’t occur in the first place but most importantly, not having an adequate data breach policy in place.
Earlier this year ‘Ponemon’ Institute revealed that data breaches were up there with poor customer service and environmental disasters for impacting brand reputation through “The Aftermath of a Mega Data Breach: Consumer Sentiment.”
In 2014 eBay found itself the victim of a hacking attack that resulted in 145 million user records being breached. This breach quickly became known as one of the biggest data breaches in history. eBay admitted that user rates declined as a direct result of this after reaching the public and in turn negatively impacted its quarterly net revenue.
Mistakes are bound to happen down the road but having a plan in place for a breach is imperative to avoid an ethical and PR backlash.
Proactive or reactive?
eBay faced more backlash than some due to slow response times and lack of transparency when communicating the breach to customers, some of whom found out through news outlets rather than from the brand directly.
Having a data breach policy in place, is not just about mitigating the impact of a financial fine, but crucially, about managing your customer’s expectations and your hard-won brand reputation.
Owning the data breach, and having a plan of action for communicating with your customers in this eventuality is key. Ensure your data breach policy includes the following elements:
- How you inform the customers that are impacted
- What materials you provide to educate and help customers to mitigate further loss
- Frequency of updates at different stages of investigation
However, tempting it may be to keep a data breach as private as possible, the impact of keeping this private could be much more costly to your reputation.
If you want to update your data processes, see how our data services team can help and get in touch with an expert today.