Allow us to get rhetorical.
Your business has just been the victim of a data breach. For the sake of the scenario, let's assume it's a big 'un; customer details, login credentials, personal details you'd keep under lock and key - all are compromised and likely fetching a pretty penny in the shadiest corners of the Dark Web.
What's the first thing you do?
While 'panic' might be your first, involuntary response, GDPR policies ensure that there's little time for that. Under the authority of the Information Commissioner's Office (ICO), businesses have a time limit of 72 hours, from the moment the breach is noticed, to provide an incident report. So you'll need to make some phone calls, fast.
How fast, exactly? Not so fast that your report isn't diligent and detailed. Yes, despite the urgency of raising the alarm as it were, you'll still need to detail a number of crucial factors, such as the nature of the breach, the extent of the damage, and the recovery efforts you've made. Failure to provide this in due course can result in one of two eye-watering penalties: Less-severe, 'Tier 1' breaches will fetch maximum fines of €10million or two per cent of a company's annual revenue - whichever is greater. 'Tier 2' doubles those figures, with fines reaching as much as €20million, or four per cent of your company's revenue - again, whichever is greater. That extra work suddenly seems less trivial.
Thankfully, the ICO website does provide self-assessments for businesses, helping to determine the nature of the breach, what you'll need to provide in your report and, in some instances, whether a report will even be necessary. The questionnaire takes as little as two minutes, so it's invaluable, and set up with brevity in mind.If you do need to provide a report, the ICO enthuses that it helps to provide as much information as possible. Let's break down what their operators ask, and how best you can answer.
What has happened?
You'll want to explain everything you know about the breach, including the nature of the attack and any systems compromised. If this has affected any internal systems or day-to-day operations, make a note of these as well, as this can help you and the ICO foresee any future complications.
What Data is Affected?
You'll want to note exactly the kind of personal data that has been compromised. Whether it's your employees or your customers, your commitment to GDPR means all individuals will need to be protected and accounted for.
Numerous things, from NI numbers to sexual preferences, are all considered personal data under GDPR - so it helps to be as vigilante as possible in your report. Assume everything is sensitive and detail as much of it as you can. ICO will want to know the categories, types and volumes of data breached, including any potential or unconfirmed victims.
When and How Did You Find Out About the Breach?
You'll want to detail exactly how you were alerted, and when. This can help to identify the time, place and manner that the breach took place, from which other factors - such as motives or targets - can be identified.
What Are You Doing as a Result of the Breach?
You'll need to demonstrate that you've taken steps to mitigate the breach and prevent any further ones. If you can't, you probably need to get off the call and get that seen to.
It's not only your business you're protecting here, it's the security of your compromised parties too.
You'll need to detail your company's own preventative solutions, as well as any individuals or organisations that you'll be contacting to inform of the breach. Detail anybody and everybody the breach has affected and everything you intend to do to safeguard them. Consider any other weaknesses you've identified and how you've protected them, and whether any further details could be compromised should these safeguards fail.
Are Staff Aware?
And by aware, we mean more than just reacting. You'll want to detail any staff training or any actions you've taken to keep them informed and operating safely in the wake of the complications. You'll want to pay especial attention to any prior data protection training - including when it was taken, who it was taken by, and what said training entailed.
You'll also need to provide details of your own business, including the name, the registered address, and the name of any Data Protection Officers (DPOs) you employ.
DPOs are mandatory for public authorities and any other company processing large amounts of personal data. Your DPO not only protects the sensitive information you manage every day, but can also help to compile the GDPR report in the instances of any data breaches and keep staff trained on the handling of personal data.
You might not be legally required to appoint a DPO, but if you choose to, they will still be subject to the requirements for a mandated officer's position.
Ensure you’re prepared and provide your clients, employees and investors with certifiable proof of your dedication to your Cyber Security by undertaking the government’s Cyber Essentials Certification. This certification ensures that your business is compliant and prepared. The scheme not only ensures your business is compliant and protected, but the certification assures your clients that their data is being handled responsibly – a benefit to both them and your company security.
We can help – give us a shout!
As always, your best security against data breaches is a dedicated disaster recovery solution and a workforce receiving regular security training. Let Mirus assess your company security and provide a bespoke solution tailored to your business needs.
Mirus Managed Security Services alleviate the pressures on your IT team and help keep your business secure and free form data loss caused by cyber-attacks.
Learn more about Mirus Managed Security Services: