Almost a year after the implementation of the GDPR, the Dutch privacy authority announced that the number of reported data breaches in 2018 has more than doubled compared to 2017. In a way this only makes sense considering the significant fines that now can be imposed by the Data Protection Authorities (DPA). The DPA’s main concern however, and ours for that matter, is the fact that countless organisations still haven’t put in place a decent data breach register accompanied by a guidance how to deal with a data breach.
Identifying data breaches
This particularly applies to public administration bodies, the healthcare industry and finance companies. In 63% of all reported cases, the violation concerned personal data accidentally sent or handed over to the wrong recipient. For these figures to go down considerably in the long run there is still quite some awareness work to be done. An adequate data breach register, which in itself is mandatory, can and should serve as a great tool to achieve this. After all, only by identifying data breaches and capturing information related to them an organisation can learn from its mistakes and shortcomings.
Automated workflow for data breach notification
In order to really learn, we need to understand what went wrong. We have to determine the risks of data leakage throughout the entire organisation. On top of that, each data breach, either with or without the need for notification, must be thoroughly analysed to prevent the same mistake from happening again. So how do you keep track without a sound register? Well you don’t. Without a well-classified data breach register (broken down by nature, consequences for those involved and possible measures), there is no clear overview of data breach incidents within your organization. As a result, preventing new breaches is still a long way off. This is why you need an automated work flow, based on a fixed set of questions. As with regular Risk Assessments & Evaluations, the answers in turn allow for analysis and reviewing by the DPO or other specialist, potentially leading to mitigating measures.
Ideally, the workflow tool chosen covers a whole range of topics and questions that many organisations are still struggling with. The question if all security incidents automatically classify as data breaches is just one example. Knowing exactly in which cases people involved need to be notified of the leakage or not is another example. A complete and accurate overview of data breaches that have already been classified allows DPOs to make a risk assessment and determine whether or not a particular breach needs to be notified. And did you know that losing encrypted data and even destroying of damaging certain data is also qualified as a data breach? While we’re at it: most of us know by now that any Data Controller is to report a relevant data breach to the authorities within 72 hours. But how many people know that Data Processors in turn have the obligation to notify the Data Controller of the leak?
For questions about a high-quality workflow or more information on data breach notifications (or any question for that matter) please contact Marieke Knegt