Are You Ready for a Data Breach in the Post-GDPR Era?
As a company, you can be fully compliant with GDPR and still suffer data breaches. This is just a reality. The chances of it happening are significantly reduced with compliance because you’ll have located and mapped all your data and put various security measures in place along the way.
Managing data efficiently is a big part of the battle in complying with GDPR, and much of this work will be automated. One way of reducing the risk of a data breach is by bolstering security in computer systems and servers. You can also use encrypted files to mitigate the damage of a hacking breach.
What you can’t control as rigorously is the scope for human error in a company. Criminals often target staff with sophisticated phishing attempts.
Primary Threats: Phishing and Vishing
One of the biggest threats to the data you hold, whether its customer information or company data, is phishing. Phishing frequently occurs in the form of emails which encourage recipients to part with sensitive data under false pretences. Still, a more direct approach is often taken with companies.
Phishing by a phone call, aka “vishing”, is prevalent. Such a phone call will try to provoke emotion, (e.g. panic, fear, a sense of urgency) so that the receiver makes mistakes. A typical example is when the caller purports to be a bank employee trying to prevent a fraudulent payment from the company’s account.
Even seemingly innocuous phone calls can be part of a phishing scam. The scammer may phone up as a customer just to establish contact names, which are later used to increase credibility during the “sting”. No matter how savvy employees are, they might be caught out by intelligent social engineering.
A safeguard against phishing, or an extra firewall if you like, is only to give employees access to data they strictly need to carry out their work. The more hurdles you put in the way of a scammer, the better. As well, employee training against various forms of phishing helps.
Reacting to a Breach Under GDPR
As undesirable as a data breach is, the way your company reacts to such an event is a vital part of GDPR compliance. A GDPR regulator is unlikely to punish a company with limited resources for an instance of human error, but not reacting to a breach quickly enough could attract a fine. Under GDPR, companies must report a breach within 72 hours of discovery.
The longer a breach goes unreported, the more of a threat it often is to its victims. But still, you need to supply a certain amount of information when reporting a data breach. That’s why you’re allowed three days and why three days might seem too few.
If your company is GDPR-compliant and manages data well, the information you supply to authorities will be easier to gather. You’ll be able to trace what caused the breach and better predict the consequences. A data breach exposes GDPR non-compliance, which is one reason to try and comply before one occurs.
Information You Must Supply
The information you should supply to a GDPR authority in the event of a data breach includes the following:
- Context; how the breach occurred and what mistake or weak point allowed it to happen.
- Extent of damage; assess the number of data subjects affected and the categories (e.g. high risk) of those which are.
- Ascertain likely impact; describe what impact the data breach has had and is likely to have.
- Naming the DPO; in larger companies, a DPO should have been appointed to oversee GDPR compliance. This person must be named in a report.
Other information to supply includes the preventative measures you had in place to guard against such a breach, (including staff training), and how you intend to repair or offset the damage.
Companies which have done little or nothing towards GDPR compliance at the time of a data breach are forced to admit their culpability in this report, whether overtly or not. Big companies with greater resources are punished more heavily for inaction or carelessness, but this is not a situation you want to find yourself in regardless of business size.
The Importance of Data Mapping
If your company doesn’t know what data it stores or where it all resides, the risk of a data breach is much higher. This is what data mapping does; finds and tracks data in your company. Without it, a breach may not be found for a long time, so the potential harm it causes will grow.
Data mapping gives you the information you need to manage data and is at the core of GDPR compliance. It helps you uncover vulnerabilities and understand how data flows through your company. You’ll identify any problems with access; who can see what data, why they need to see it, and what levels of security are in place.
Part of GDPR compliance involves minimizing the amount of data you store and not keeping it for longer than needed. Good data-compliance software provides you with the tools you need to do this. It also helps you gather information in the event of a breach and proves your efforts towards compliance with the relevant authority.
Although many businesses struggle with GDPR and its demands, its chief aim is to make all data controllers and processors accountable. The best way to avoid any possibility of a crippling fine is to take responsibility for the data your business holds, ideally before a breach occurs.
By being proactive about GDPR and complying with it as much as possible, your company will avoid the stressful situation of being caught out by a data breach as a result of inaction or apathy. GDPR authorities will view your predicament more favorably if you’ve made traceable steps towards compliance. Now is the time to act!