Unfortunately, it is inevitable that at some point any business that handles personal data will face a data breach. Organisations should not consider it a matter of if, but when. However, preparing for such a breach means that when the time comes, you will be better equipped to respond. Together with our IT, PR and legal experts, we support you to be breach-ready.
Preparing for a breach
Studies show that the cost of a data breach for a small company could exceed €300,000, with data breaches for larger organisations (500 employees or more) potentially costing millions. However, mitigating the risk is entirely possible, and offers excellent return on investment.
In anticipating a breach, you can prepare for the breach. A data breach should not be a learning experience – there is too much to lose, and under the GDPR there are tight timescales for reporting a breach. After a breach, businesses and organisations are under immense pressure to protect and restore their reputation, so we also coordinate the breach response seamlessly with PR experts.
A personal data breach is wider than just a loss of data – it is defined widely to include accidental or unlawful destruction, loss, alteration of data, and unauthorised access to or disclosure of data.
Organisations will need to define what, in practice, would constitute a personal data breach (in line with the GDPR definition). Employees should be trained to recognise such breaches, and immediately report them internally when they occur. It is vital to have robust breach detection, investigation and internal reporting procedures in place, in anticipation of the inevitable breach occurring.
Training and awareness of personnel
Preparation and staff training will be key, as organisations in crisis will need to be able to rely on a simple and clear plan to identify who to contact and what action to take.
Under the GDPR, data controllers may be required to notify local data protection authorities of personal data breaches they have experienced not later than 72 hours after becoming aware of them. Data processors also have reporting requirements and have to inform the data controller of the incident without undue delay.
In practice, therefore, data processors would have to report every personal data breach that occurs, and data controllers would then have to decide if reporting to the relevant the authorities is required.
Organisations may also be required to notify their customers without undue delay where a breach is likely to result in a high risk to the rights and freedoms of such customers, although there are some further qualifying factors (such as whether or not the data has been encrypted).
Penalties for non-compliance
Under the GDPR, any organisation that fails to comply with the data breach notification rules could be fined up to €20 million, or 4% of their global annual group turnover. Aside from fines, regulators have other powers, including imposing a temporary or indefinite ban on processing, or suspending data flows to a third party. These could potentially have a catastrophic effect on an organisation’s bottom line.