GDPR: Efficiently Manage Information Regarding Data Breaches
• Under GDPR, companies are required to report data breaches to the responsible supervisory authority within 72 hours of their occurrence.
• Efficient risk management for data breaches is key to counteracting damage to a company’s reputation.
• Digital whistleblowing systems, used to report potential compliance and ethics violations, are a great way to centralize GDPR violation processing and fine-tune the way companies handle case management.
The implementation of whistleblowing systems has become a priority for many companies and regulators. Digital whistleblower platforms serve to protect whistleblowers by allowing them to anonymously report violations within a company. We have covered this topic extensively here in past posts and recommend companies explore the implementation of digital whistleblowing systems.
Obligation to Notify Subjects of Data Breaches
The EU’s roll-out of GDPR, going into effect on May 25, 2018, imposes further obligations on companies. GDPR mandates businesses have clear notification processes for data breaches. If a company violates protection obligations of personal data, the incident must be reported to the relevant supervisory authority within 72 hours.
Infringement of personal data can take various forms. For instance, external targeted attacks (e.g. hackers) often involve stolen data. However, data breaches can happen in other ways. Even ”accidents”, such as a lost briefcase containing customer information or an email accidentally sent to the wrong recipient, may constitute a personal data violation.
Reporting a data breach requires the data processor to provide certain information to authorities. For example, a category must be assigned to the data infringement and an estimate must be made on the scope of persons affected. The data processor must also estimate possible consequences or potential damages as a result of the data infringement. If there is a conviction, any measures already taken to protect personal data will reduce the sentence. Possible measures that companies can take to ensure data breaches do not occur include, for example, the monitoring of data centers to protect against unauthorized access, or the systematic monitoring of all data processing operations. In addition to reporting data breaches to the supervisory authority in accordance with Article 34 of GDPR, companies/data processors must also inform affected individuals about the data breach in a timely manner.
Managing data breaches is a question of risk management. If possible, data breaches should be detected and reported early on. With a timely approach, serious consequences, such as reputational damage or financial penalties, can be averted or at least mitigated.
Failure to do so can result in serious issues. A clear example of this is the recent Facebook scandalsurrounding user data abuses. In this case, the company had failed to actively report its data breach and had not informed affected users of personal data abuses without being pressured to by third-parties with extensive delays. Facebook is now working to mitigate damage this caused to its reputation, which had a significant impact on the value of the company.
Efficient Management of Data Breach Notifications
In order to report data protection violations in a timely and efficient manner, companies need clear structures and processes. Digital tools are a particularly efficient way to centrally control reporting of GDPR violations. They can help to record incidents and document all details of a data breach. Using the digital tool, further actions to deal with a breach can be managed by trained staff, improving case management and workflow.
Through our work with our clients, we now see that whistleblowing systems are also effective reporting channels for notification of data breaches. The perpetrator of a data breach can use this system to dutifully report his or her data breach (anonymously, if necessary) to the company’s data protection officers. The company can then coordinate further internal processes via case management which is integrated in the system.
In the end, a digital reporting system kills two birds with one stone by meeting requirements of both whistleblower protection, and GDPR data norms. That’s efficient risk management!
Curious to learn how a digital reporting system could look like. Don’t hesitate to get in touch with me.