It won’t surprise you that many businesses are still unprepared for GDPR. In fact, many businesses do not believe they will be fully prepared in time, leaving them open to fines of up to €20m or four percent of annual turnover.
However, for many businesses, especially those with limited security resources, the priority should be on the reporting timeline itself.
GDPR guidelines state that when a data breach does occur, businesses should detect and report a breach within 72 hours.
So here’s our guide to what you should do if you discover a data breach.
The most important step is to lay the groundwork. Ensure that your organisation has put all the necessary policies and procedures in place. You also need to document them, so that you can demonstrate the steps taken to achieve compliance.
If you don’t have these systems already set up – it is unlikely that you will be able to react quickly enough to hit the 72-hour deadline.
The first step is to gain an understanding of where your customer data is stored, or could be accessed.
It is also important to identify how your organisation stores and uses customer records. This can be information such as the information acquired when a customer signs-up for a mailing list.
The next step is to set up security alerts. These will warn you if there are any potential risks to this data. Many people complain about being bombarded with these sorts of alerts, but once GDPR comes into effect, there will be no excuses for missed alerts or mistakes.
The clock starts ticking
Once a data breach has occurred, the primary focus is to contain the incident. The best way to do this is to isolate the affected systems to prevent further damage.
If you can identify the elements that contributed to your breach, such as an individual laptop, then you can section that off from the network, and then do the forensic analysis.
Once you’ve contained the incident, you need to find the cause.
Attackers may have used a specific vulnerability, such as a phishing email, or a weak password; but to actually undo its effects, you will probably need to remove the malware, and then wipe and reinstall affected machines.
Once you have a good understanding of the breach, you must involve everyone that is affected.
- Any breach notification should include:
- The number of individuals affected
- Details on the type of data concerned
- The name and contact details of someone within your business who can provide more information;
- A description of the likely consequences for individuals
- The measures taken to combat it
These communications should be drafted, approved by management, and then shared to your customers, shareholders, and regulators.
Whilst identifying and containing a data breach within 72 hours is relatively simple; cleaning up the mess can take far longer.
During this recovery process, it’s vital to keep a very close eye on your reinstalled systems to monitor for any errors.
The final important step is to review and analyse what happened. Take the time to work out why it happened, and consider how it could be prevented in the future.
If you would like any help or advice with ensuring that your old and unwanted computers are disposed of securely so as to avoid a data breach, then call Tier 1 on 0161 777 1000.