Part 10: Breach Response & Monitoring 

Accountabilityis one of the 7 Principles under the GDPR (General Data Protection Regulation). To ensure businesses comply with their accountability obligations, the ICO has now created a framework that breaks down the key elements of accountability in data protection.

As part of an ongoing series of blogs, CVG Solutions will be guiding you through the ICOs 10 framework categories, taking a closer look at the importance of each aspect and how to adhere to them.

Part 10: BREACH RESPONSE AND MONITORING

Data breaches are a serious business. There can be significant repercussions for organisations for failing to notify the relevant parties of a breach, when required to do so. Not to put too finer point on it, but organisations can face fines of up to 10 million Euros, or 2% of their global turnover from the previous year, whichever is the greater. That’s not to mention damage to reputation, loss of business and disciplinary actions in the case of an employee that fails to report a breach.

In order to avoid such severe consequences, an organisation needs to be able to detect, investigate, asses and record breaches. Having clear and appropriate procedures in place ensures your chances of averting a breach, and drastically reduces their impact if they happen.

A swift and effective response to any breach is therefore crucial. In order to make the whole process more manageable, this final section of the ICO’s Accountability Framework is broken down into 8 sections:

1) Detecting, managing and recording incidents and breaches

It would be prudent to assign a dedicated person or team to manage data breaches, but all staff should be trained to recognise, report and even escalate breaches when they occur.

The procedures and systems in place should be designed to effectively facilitate breach reporting.

All breaches and security incidents must be recorded, whether they are reported to the ICO or not.

2) Assessing and reporting breaches

When incidents occur that must be reported to the ICO there should already be an established and clear procedure for notifying them within 72 hours, along with processes to assess the severity of the breach.

3) Notifying individuals

A procedure should be in place that states precisely how individuals affected by a breach will be notified, where appropriate. The notification to the data subjects must consist of clear language and advice should be given on how to reduce their risk.

4) Reviewing and monitoring

It is important that any and all breaches are logged and analysed. Trend analysis should be performed in order to get a full understanding of key themes and issues.

5) External audit or compliance check

The organisation should employ an external audit company to produce independent assurances on the standard of data protection and information security compliance. An audit report should then be produced that document the findings and subsequent action plans created as a result.

6) Internal audit programme

The organisation should carry out regular internal data protection compliance tests, along with informal, ad-hoc monitoring and spot checks. Audit reports should be produced to document their findings, with the creation of subsequent action plans.

7) Performance and compliance information

It is important to establish KPIs that relate to data protection compliance and information governance, such as Subject Access Request performance, records management and completed staff training. All KPIs should also be regularly assessed.

8) Use of management information

The key data acquired from monitoring the KPIs should be communicated to the relevant stakeholders, who in turn should review these outcomes and plan accordingly.

In a nutshell

Identifying vulnerable areas where a breach could occur and reducing the risk to individuals when a breach does occur are of vital importance. Both can be achieved by the careful monitoring of processes (both internal and external), which identify patterns and pinpoint vulnerabilities.

———

For any changes to data protection and transferring policies as a result of Brexit, or for a full breakdown of what privacy information includes, get in touch with CVG Solutions and we can help guide you through everything you need to know and ensure you meet all the requirements laid out by the ICO.

You can read our other blogs in the series on:

Leadership & Oversight (Part 1) 

Training & Awareness (Part 2)

Transparency (Part 3)

Contracts and Data Sharing (Part 4)

Records Management & Security (Part 5)

Policies & Procedures (Part 6)

Individual’s Rights (Part 7)

Records of Processing and Lawful Basis (Part 8)

Risks and Data Protection Impact Assessments DPIAs (Part 9)

If you require any further help, guidance, information or clarification, you can contact CVG Solutions at info@cvgsolutions.co.uk, or call us on 01775 660-506.

———

‘Breach Response and Monitoring’ Checklist:

  • Could staff explain what constitutes a personal data breach?
  • Do they know how to report incidents?
  • Would a sample of how you manage incidents demonstrate adherence to the policy and procedures?
  • Are staff aware of the policies and procedures and are they easy to find?
  • Do staff understand how to conduct the risk assessment?
  • Do they know when a breach needs to be reported to the ICO?
  • Would individuals say that they were told about personal data breaches in a helpful and timely way?
  • Did they get the information they needed?
  • Were they satisfied with the steps you took to mitigate the impact?
  • Could we see an example of how you handled an incident that required lessons to be learned?
  • Were the steps you took to prevent a recurrence of the incident effective?
  • Do staff adhere to the external standards as claimed?
  • Are they aware of a range of suitable external tools?
  • Are senior managers aware?
  • Could staff explain a sample of actions from the action plan including how they were identified, progressed and closed?
  • Do senior management have oversight of the Action Plan?
  • Are there appropriate links to a risk management process and register?
  • Could staff explain any instances of non-compliance to statutory timescales highlighted in the reports and the actions taken to address the issue?
  • Could you give examples of information flowing between operational levels and senior management?
  • Are staff given appropriate information?
  • Do they understand it and are the actions taken clear?