Guide to Developing a GDPR Personal Data Breach Response Plan

Guide to Developing a GDPR Personal Data Breach Response Plan

If there’s a constant in cybersecurity, it’s that financial institutions remain incredibly vulnerable to cyberattacksⁱ. Handling massive data troves of potentially lucrative private information as they do, financial services firms, especially commercial banks, are about 300 times more likely to be successfully attacked than businesses in other industriesⁱⁱ.

And those cyberattacks take a toll. Hacked financial institutions usually see a steep drop-off in consumer confidence, not to mention losses in sales and revenue. 

The costs are only rising: an average data breach now costs the financial industry $336 per recordⁱⁱⁱ. For context, this year’s Exactis data breach exposed 340 million records^iv. 

For finance, the regulatory burden is getting stiffer as well. As you probably know, the General Data Protection Regulation (GDPR) has come into force in the last few months with a set of prescriptive regulations intended to protect the consumer data of European citizens. 

Under the terms of the GDPR, businesses, whether operating in the European Union or offering goods or services to EU customers, are obligated to protect the personal data (as defined below) they gather. The penalty for non-compliance if that data gets misused: some of the steepest fines in the world, totaling up to four percent of an organization’s annual global turnover or 20 million euros^v. 

Defining personal data

The GDPR defines personal data as any information relating to an identified or identifiable natural person (or data subject). 

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Source: Official Journal of the European Union

Given the combination of stricter oversight and steeper (potential) penalties, financial institutions need to prepare for the inevitable data breach. But doing so requires more than a one-size-fits-all data breach plan. 

Instead, firms need a robust GDPR-specific personal data breach response plan to minimize the threat of the risk and ensure compliance. What follows is a handy, step-by-step guide to putting that plan together.

1 Identify your purpose and scope

The purpose and scope of this response plan might go without saying: protect customer data, ensure compliance with the law, lower risk, and avoid punishing penalties. But it still bears repeating in the plan itself. Also, think critically about what you are trying to accomplish with this plan (versus a more comprehensive data breach response plan), and list what the plan will cover.

Centrally, the plan will provide explicit information on how you’ll respond to a personal data breach incident in compliance with GDPR dictates. Note then that the GDPR applies in two circumstances:

• Personal data identifying data subjects who are residents of the EU and the European Economic Area (EEA)
• Personal data subject to processing in the EU or EEA

Reference documents might also be useful in the event of a personal data breach plan. Consider including the texts of the GDPR (Regulation 2016/679) as well as the Personal Data Protection Policy in your mobile-friendly crisis management platform. That way they’ll be accessible to your entire response team.

2 Understand incident terminology

When it comes to the GDPR, language matters. It matters a lot. The GDPR has codified a whole set of terms. And understanding the precise definitions of those terms (with the help of legal counsel) will be critical to your response efforts, especially during the investigatory stage. 

For starters, the GDPR defines a personal data breach as a security incident where personal information is accidentally or unlawfully destroyed, lost, altered, or accessed. Other relevant GDPR-specific terms include the following:

• Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
• Processor: A natural or legal person, public authority, agency, or another body, which processes personal data on behalf of the controller.
• Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 
• Supervisory Authority: An independent public authority established by a Member State pursuant to Article 51 of the GDPR.

3 Assemble your response team. List roles and responsibilities.

Your GDPR team will be on tap to provide immediate and effective response to suspected, alleged, or actual personal data breaches. So pick team members carefully.

Who should you be looking for? Well, effectively responding to a GDPR personal data breach (as an organization) requires a multi-disciplinary skill set. Recruit practitioners from IT, IT security, as well as legal and public affairs experts with specialist knowledge of the GDPR. You might need to reach out to external parties for some of this expertise. 

The team itself will work under the supervision of the Data Breach Response Team Leader. The Leader can add additional team members if the situation warrants it. And in the event of an actual breach, the Leader documents all decisions made by the team. Those documents might have to be later reviewed by the Supervisory Authorities.

Other important team members include the Data Protection Officer and the Digital Forensic Officer. The former is responsible for reporting the personal data breach to data controllers, recording the data breach in the official register, and establishing if the breach must be reported to the Supervisory Authority.

Remember your personal data breach response has to be an around-the-clock effort. All team members, especially the Leader, need have full contact details at the ready. 

Also, your entire workforce, including contractors and other third parties, should at least be familiar with the plan. They might serve as “first responders” to any personal data breach event.

As for responsibilities, your team should be prepared to perform the following actions:

• Validate and triage the personal data breach (more below)
• Initiate an investigation
• Ensure a proper and impartial investigation is conducted, documented, and concluded
• Identify corrective requirements and track the resolution
• Report all findings to executive management
• Coordinate with the appropriate authorities, as required
• Coordinate internal and external communications
• Notify the data subjects impacted by the personal data breach, if required

Triage the personal data breach notification. Develop an action plan.

Responding to a personal data breach is the chief responsibility of your Data Breach Response team. Should the team determine that an actual breach of personal data has taken place, they’ll be required to take a number of steps, as laid out by the GDPR. Failing to do so might open individual team members (and the organization as whole) to civil or criminal liability.

GDPR statutes actually spell out a very clear (internal and external) notification process, which organizations are required to undertake without undue delay. Notifying the Supervisory Authority, in particular, must be done within 72 hours (see below). The rest of the notification process looks like this: 

Article 33 of the GDPR: Notification of a personal data breach to the Supervisory Authority 

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
3. The notification referred to in paragraph 1 shall at least:
   – Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
   – Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
   – Describe the likely consequences of the personal data breach;
   – Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

Source: Official Journal of the European Union

Notification will only be one part of your organization’s personal data breach response effort. Teams must also try to contain the damage from the data breach, identifying corrective requirements and tracking the resolution. That action plan (see below) might require intervention from a larger Data Breach team.

Source: Ryan1

Financial institutions, especially commercial banks, are uniquely vulnerable to the personal data breach threat. And while nearly 90 percent of organizations have plans in place to deal with cyberattacks (broadly speaking), just 53 percent of them conduct the requisite simulation exercises to ensure preparedness. 

So crucial to your preparations will be regularly testing and constantly refining your GDPR personal data breach plan with the entire workforce, including contractors and other third parties. Just remember: your efforts will be what it takes to ensure GDPR compliance, mitigate risk, and lower potential cost.

Citations

i Ryan Fahey, Infosec Institute: Which Industries Are the Biggest Security Targets? Available at https://resources.infosecinstitute.com/category/enterprise/securityawareness/security-threats-by-industry/#gref.

ii Paige Scahffer, ITSP Magazine: The Cost of a Cybersecurity Breach for Financial Institutions. Available at https://www.itspmagazine.com/from-thenewsroom/the-cost-of-a-cybersecurity-breach-for-financial-institutions.

iii Ibid.

iv Abrar Al-Heeti, CNET: Exactis said to have exposed 340 million records, more than Equifax breach. Available at https://www.cnet.com/news/exactis340-million-people-may-have-been-exposed-in-bigger-breach-than-equifax/.

v Arjun Kharpal, CNBC: Everything you need to know about a new EU data law that could shake up big US tech. Available at https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html.