Some businesses find it difficult to determine what constitutes a data breach and how to report one. Here are some guidelines to help your data breach policy.
Five hundred calls a week.
That’s the number of contacts that the UK Information Commissioner’s Office (ICO) says it receives from companies since the GDPR came into effect. Many are concerned that they may have experienced a personal data breach.
Of these calls, a great number are the result of misunderstandings about what a data breach actually is. Many are likely due to an abundance of caution, as companies grapple with what needs to be reported and what doesn’t.
Caution is understandable. Big coverage of data breach examples, including the Experian data breach and British Airways data breach, has whipped up concern about which company might be next to experience trouble.
So, what is a data breach?
The ICO provided clarification on this during a webinar on 19 July. To start off, the ICO staff reiterated that the GDPR defines a data breach as:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
It also explained the CIA triad. This is an incident that has an impact on maintaining confidentiality, integrity or availability should throw up red flags. Lack of integrity, for example, might be relevant in a case where a hard drive was corrupted or hard copies of data were damaged by flood or fire.
Your data breach policy: Some common myths
The ICO webinar also helped to dispel some common misunderstandings. For example:
1. A data breach means a data loss
In fact, a data breach is about more than just losing personal data. Many of the high-profile cases are due to system intrusion. However, other scenarios may involve access by an unauthorised person sending data to the wrong person. Or altering data without permission.
2. Every breach is reportable
Actually, a breach doesn’t have to be reported if it is “unlikely to result in a risk to individuals’ rights and freedoms.” Here, says the ICO, having a risk assessment process in place is crucial. Consider the likelihood and severity of damage occurring, the nature and volume of data affected and its sensitivity. How permanent would the effects be? Is the person involved particularly vulnerable? Finally, the GDPR only applies to living people, so if your issue involves a person who is deceased, it’s not a reportable breach.
3. The reporting deadline doesn’t include down time
Nope, the 72-hour reporting deadline means 72 “real” hours, “where feasible.” The count includes evenings, weekends, holidays, etc. It starts from the moment the data controller has a “reasonable certainty” that a breach has occurred. If you miss this deadline, you’ll need to explain why. And reporting doesn’t mean just sending an email or a phone call to the ICO. Check the ICO website for recommended reporting procedures and information on what details you’ll need to provide when you get in touch.
4. You have to know everything by the deadline
Usefully, the ICO lets you provide information in phases, if you don’t have full details of a data breach and its implications straight away. The more serious the breach, however, the less time you’ll likely have to provide full details and your action plan. The ICO also recommends out-of-hours or weekend workers have a clear route to flagging up problems so action can be taken. Remember, as part of your data breach policy, you need to think about containing a breach, not just reporting it.
5. If it’s not reportable, it’s not important
The GDPR requires you to document an incident, even if it is not required to be reported. You should keep a breach record that notes the facts relating to the breach, including its effects and what remedial action was taken.
6. It’s better to be safe than sorry
Not necessarily, when it comes to reporting. For the ICO, unnecessary reports distract them from more urgent cases, and over-reporting to the public can lead to ‘reporting fatigue’ and lessen the chance that they will take action to protect themselves against a really serious issue. Take time to be sure that you really do have an issue (not just temporarily misplaced documents, for example).
How can mobile data capture help guard against data breaches?
While ensuring you have clean data is an important data-security must-have, leveraging tools that make a data breach less likely also makes sense.
Gather’s data capture app, for example, helps you ensure your data is shared securely. Any interaction between the Gather app and its users is encrypted to an enterprise standard. Data you collect is secure in-transit, over all internet connection types, and between hubs used for processing or analysis.
Meanwhile, Gather has validation tools built in – reducing the likelihood that you’ll be caught by out-of-date details.
Finally, Gather’s mobile data capture app makes getting the consents you need a seamless process. You create customised, GDPR-compliant permission statements that include positive customer opt-ins. You can attach PDF capture forms so you have a physical record of consent. Consent can be traced right back to the device on which the customer data was obtained.