Following on from our recent articles ‘Don’t be Spooked by GDPR!’ and ‘Ensure GDPR compliance with VCI Systems’, in which we encouraged you to 1. Be Aware, 2. Prepare and 3. Protect your data, here we tell you about the final two steps in the process of becoming GDPR compliant.
4. Detect a Data Breach
The ability to detect any security breaches and attempts at data theft is paramount in becoming GDPR compliant. Just as a reminder, data breaches must be declared and failure to comply can lead to significant fines – up to 4{0e97e938a18f3bbe1f02ffd98cdd9acac84900d7d8571f1bd12e03efd4c12448} annual worldwide turnover or €20 million, whichever is higher.
A security breach could arise through various means, such as theft, a deliberate attack on your IT systems, the unauthorised use of personal data by an employee, or from accidental loss or equipment failure.
Employees can often be the first important step in detecting security breaches. They should be trained to spot any suspicious signs, such as strange phone requests, especially for information; unusual visitors; strange patterns of computer activity; unusual appearance of computer screens; and computers taking longer than usual to perform routine tasks.
Above all, however, your current cyber security software should be assessed to ensure it can provide an integrated, real-time defence, purpose-built for the complex malwares that pose persistent threats in today’s world.
Security software messages, access control logs and other reporting systems should be checked on a regular basis and any alerts issued by these monitoring services immediately acted upon. Regular checks should be conducted on the software and services running on your network in order to identify any malware; and vulnerability scans and penetration tests should also be regularly conducted with any weaknesses being addressed.
It is also recommended that mobile devices should be set up with encryption software so that, in the event that they are lost or stolen, the data is securely protected.
5. Respond to a Data Breach
Should an attack happen, technology and processes should be put in place to stop a breach quickly following its detection, assess the systems and data that have been compromised, mitigate the impacts, and report it.
The information gathered will help you decide who should be notified of the breach, whether it’s the individuals concerned; the Information Commissioner’s Office (ICO); other regulatory bodies; other third parties e.g. the police and the banks; or the media.
In some cases there is no need to report to the ICO. For instance, where there is little risk that individuals would suffer significant detriment, for example because a stolen laptop is properly encrypted or the information that is the subject of the breach is publicly-available information.
If, however, the personal data breach is likely to result in a risk to the rights and freedoms of individuals – perhaps through discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage – the ICO and the affected individuals should be notified of the breach type and the breach impact promptly, at least within 72 hours of discovering the breach.
The report to the ICO must include likely consequences of the breach and your plan of action to remedy the situation and mitigate adverse consequences to the individuals.
With the General Data Protection Regulations (GDPR) coming into force on 25th May 2018, you will hopefully be well on the way to becoming compliant.
These more technical challenges can seem a little daunting but be assured that VCI Systems is on hand to offer help and advice. If you would like to talk through any specific points above or of previous articles, please do get in touch on 0118 976 7111.