If you think that data breaches only happen to someone else, think again. Data breaches have happened to all types of businesses - from small ecommerce stores to large corporations such as Microsoft and it could happen to you as well. Read about GDPR Data Breach Responses here.
If you think that data breaches only happen to someone else, think again. Data breaches have happened to all types of businesses - from small ecommerce stores to large corporations such as Microsoft and it could happen to you as well.
Each time your company suffers a breach, it's like opening your door to someone from the outside - they've gained access to your confidential information and can use it to their advantage. But this isn't the only type of security breach that affects your company. Every time someone tries to break into your building, or your computer systems are compromised by malware or viruses, that's a data breach too. In fact, data breaches are the only types of security breaches that affect personal data.
Data breaches and abuse cost businesses a lot of money - both financially and in terms of their reputation. Fines for data breaches can be huge, while abuse of customer data can lead to a loss of customers, reduced sales, and even loss of business altogether. Not only do these incidents damage your bottom line, they also cause a lot of stress and pain for your employees.
Explore more privacy compliance insights and best practices
According to IBM’s Data Breach Report 2021, the data breach costs for businesses keep increasing steadily, rising 10% annually on average. Businesses have been losing 38% of their market share on average due to data breaches.
Is a 38% drop too much for your business? If it is, you need to implement breach prevention measures and have a data breach response plan in place. When a breach occurs, you need to respond to it as required by the law and reduce the damage.
A data breach means the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a security breach.
It could appear as:
Data protection laws require businesses to protect personal data from unauthorized access. When an unauthorized person accesses the data, you have a data breach.
It doesn’t matter whether the unauthorized person is an evil hacker who wants to steal and abuse your data or your employee or contractor who should not have access to the data - as long as the access is unauthorized, it is a data breach.
It also doesn’t matter whether personal data has been abused or not. A breach is still a breach.
Finally, it doesn’t matter whether the unauthorized person has no effective access to the personal data or if their access poses a threat to the rights and freedoms of your data subjects. The breach happens at the moment of unauthorized access.
A data breach as defined in the GDPR is different from a data security breach.
A security breach means a breach of your information system. Sometimes these breaches do not involve unauthorized access to personal data, therefore they are not personal data breaches.
However, all data breaches occur due to some data security failures. Therefore all data breaches are security breaches.
It's no secret that data breaches happen every day. Unfortunately, this is due to data security failures on the part of the organization that was breached. In order to prevent future data breaches, it's important to understand the difference between a data security breach and a data security incident. A data security breach is when unauthorized access is gained to protected data. A data security incident, on the other hand, is when protected data is accessed but does not meet the definition of a breach.
There are many criteria to divide personal data breaches into types.
Personal data breaches can be classified according to what caused them. This is done by looking at internal factors, such as misuse of your own employees, or externally caused factors, such as a cyber attack. These are the most common breaches that occur regularly:
When a data breach occurs, you need to do some or all of the following actions:
For example, in the case of a mispostal, you can reach out to the receiving person to ask them to delete the personal data they have received.
On the other hand, in the case of a big data leak of encrypted data, there is not much you can do.
Sometimes you’ll need to report the breach to authorities and data subjects, but in some cases, it won’t be necessary. Recording the breach is the only action you must take in all data breaches.
When to report
GDPR requires data controllers to report the breaches to the data protection agency within 72 hours of discovering the breach. You can report later than those 72 hours only if you have a good reason. However, reporting later without a sufficient reason leads to penalties.
How to report
You can report in any way you find suitable. In fact, some agencies have breach reporting forms on their websites, but they are not obligatory. When you become aware of a personal data breach, what is important is to report the breach. It doesn’t matter how you do so.
Simply put, you can just pick up the phone and call the agency. You can use the breach reporting form on their website, if any. You can send them an email. It really doesn’t make a difference. You’ll be compliant as long as you report it within 72 hours of becoming aware of the breach (or later if you have a good reason for that).
What information to include in the report
You need to include at least the following:
You can add any other information that you find relevant. No two breaches are the same, therefore no two breach reports are the same.
How does the reporting procedure look like
You report the breach. Someone from the agency guides you on what you need to do next and you cooperate. That’s the only predictable step. The rest depends on the nature of the breach.
For example, when their health history data or dating app behavior has been exposed or their private communication related to work. The report shall contain the same information reported to the data protection authority.
There are measures that will significantly reduce the chances of having a data breach. However, there are some things to note:
Your measures depend on your business circumstances, the amount of data you process, the sensitivity of the data, and so on. See our post on how to track your website visitors without breaking the law.
Some of the measures you could implement include:
There's no way to sugarcoat it: data breaches happen to everyone. Your business is not immune and you better be prepared if and when it happens. This is why having a data breach response plan in place will make things easier and simpler for you. When a breach occurs, you'll know exactly what to do to minimize the negative effects of the breach.
No two businesses are the same, therefore no two data breach response plans are exactly the same but there are common elements that make them good.
A comprehensive plan may be made of the following parts:
Of course, this is not an exhaustive list. Let it guide you, but make sure you adjust your plan to your specific circumstances.
A data breach is a disaster waiting to happen to any business that doesn’t take care of data security. It may happen to you as well. In fact, your employees may be breaching personal data on a regular basis if you have no data protection policies in place and they have unauthorized access to clients’ personal data.
Data breaches are one of the leading reasons for GDPR penalties, so you have to do what you can to secure your data and avoid them.
Schedule a call to learn more
Find the best Secure Privacy plan for your organization and sign up here for a free trial.
