Breach detection and response procedures
Controllers and processors should ensure they have robust breach detection, investigation and internal reporting procedures in place. In the event of a breach such procedures will aid decision-making, identify what actions need to be taken, by whom and who to notify.
On becoming aware of a breach, it is important to initiate steps to contain it and mitigate the potential adverse consequences for individuals. Controllers are expected to prioritise the breach investigation, provide adequate resources to do so, and expedite it urgently.
The steps to be taken should be based on how serious the consequences to an individual are, and how likely they are to happen. Therefore, immediately upon becoming aware of a breach, it is vitally important that the controller should not only seek to contain the incident but it should also assess the risk that could result from it.
There are two important reasons for this: firstly, knowing the likelihood and the potential severity of the impact on the individual will help the controller to take effective steps to contain and address the breach; secondly, it will help it to determine whether notification is required to the supervisory authority and, if necessary, to the individuals concerned.
Breach response procedures should:-
- allocate responsibility for managing and responding to a personal data breach to a dedicated person or team;
- confirm that the person or team designated to respond to the breach has the full support of senior management to take all actions necessary to contain, mitigate and recover from the breach;
- advise and inform staff how to recognise a personal data breach, what to do in the event of a breach and who to inform;
- describe how to assess the likely risk to affected individuals;
- identify which data protection authorities must be notified;
- include processes to inform affected individuals, without undue delay, of a personal data breach if it is likely to result in a high risk to their rights and freedoms; and
- include processes to fully document all breaches and the remedial actions taken.
The breach response procedures should be subject to regular review and test.
Documenting a personal data breach
A controller is required to document the facts relating to the breach, its effects and the remedial action taken.
As with any security incident, an investigation should be undertaken to determine the cause of the breach for example, a result of human error or a systemic issue, and also identify how a recurrence can be prevented, perhaps through better processes or further training.
What should a processor do?
If you are a processor and a personal data breach occurs, then you must notify the controller without undue delay after becoming aware of the breach.
A controller contracts a cloud services firm (processor) to hold it customer records. The cloud services firm detects an attack on its network that results in personal data about the controller’s clients being unlawfully accessed. As this is a personal data breach, the cloud services firm promptly notifies the controller of the breach. The controller in turn notifies the Commissioner.
Note: where a processor is used, the obligations on personal data breach reporting should be set out in the contract required under Article 28 of the ‘Applied GDPR’.