The Article 29 Working Party’s guidance on Breach Notification suggests some things we should do before a security breach occurs. The GDPR expects data controllers, within 72 hours of becoming aware of any security breach, to determine whether there is a risk to individuals and, if so, to report to the national Data Protection Authority. It seems unlikely that an organisation that hasn’t prepared is going to be able to manage that.
Although the guidance states, correctly, that the impact of a particular breach can only be assessed after it has happened, it should be possible to identify at least the range of possible impacts beforehand. Indeed some of the Working Party’s suggested factors seem very unlikely to be spotted in the busy time immediately following an incident: if you hadn’t thought about it previously, would you notice that a list of addresses for which deliveries are temporarily suspended (indicating occupants away on holiday) could have a much higher impact (value to burglars) than the list of addresses to which regular deliveries are made?
Page 24 of the guidance suggests several things we could think about in advance, perhaps during the assessment of information lifecycles. For each collection of personal data it should be possible to identify:
- What types of breach (confidentiality, integrity or availability) could have significant impact on individuals’ rights and freedoms?
- What is the nature and sensitivity of personal data?
- How easily can individuals be identified (perhaps in combination with other information)?
- What kinds of consequence might result from a breach?
- Are there individuals who might be particularly vulnerable (e.g. children) or a context that increases the sensitivity of otherwise low-risk data (e.g. names held by a medical clinic)?
- How many individuals would be affected by a breach?
Knowing this information should allow the data controller to assess, for each collection, whether a future breach is likely to involve a risk to individuals (so be reportable to the DPA), a high risk (so reportable to data subjects) or only risks that are mitigated (so recordable, but not reportable). When a breach occurs, the controller just needs to consider whether there were mitigating or aggregating factors to change that assessment. The Working Party give the example that if a spreadsheet of personal data is accidentally emailed to a partner who can be trusted to delete it, this will reduce the initial assessment of the severity of that kind of breach.
The answers to the questions will also provide most of the information needed for the initial report.
One point that isn’t specifically highlighted in the guidance is that this kind of preparation is particularly important when processing is conducted by a data processor. Whereas for in-house processing the data controller may be permitted a short period of investigation between the discovery of a breach and the “awareness” that it has affected personal data, for outsourced processing awareness begins as soon as the controller is notified of the breach. That means even more needs to be fitted in to the 72 hours, so it’s even more important to be prepared.