One of the questions I am regularly asked is “what do the ICO class as a reportable data breach?”
My reply is that you should always seek the advice of the ICO since they continue to put out guidelines, however, it is important to first establish what a data breach is.
The ICO’s definition of a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes”.
There is still a commonly held view that breaches are just about loss of personal data, including ‘special category data’ sensitive personal data. The I.S security community has a concept of the CIA triad: Confidentiality, Integrity and Availability as three security pillars. Each of these pillars is as important as each other in information systems security and data breaches.
A breach, however, is always about the severity of impact on individuals. It is the risk of harm to one or more individuals, and this brings us right back to someone needing to analyse the impact in real-time.
The requirement is to report as soon as possible, but within the 72 hours maximum, leaving very little time to work out the level of harm or distress the data loss, corruption or loss of availability is going to cause. This remains difficult to quantify and may involve more than one team.
Take an example of a lost name and address. Most believe this is minimal impact but, when that address finds itself in the hands of an estranged parent who has threatened the other parent, it takes on a completely different level of severity. It is therefore not just as simple and straightforward as a checklist.
So, a preliminary risk assessment focusing on severity has to be made quickly and in real time with as much information as possible and with the right people in the loop. This requires good, strong communication between all stakeholders and will be the basis for the decision as to whether to report the breach or just record it locally. This is why in a recent webinar I discussed how you need to automate the communication, incident management and some of this information gathering by using an external partner such as Everbridge’s Critical Event Management System. The information is collected, stored, assessed and presented in real time and in a way that allows key individuals to make the decisions that are needed to ensure compliance.
The GDPR is about protecting people and that requires having the systems in place to protect the data and to be able to make decisions quickly. My question remains, do you have the processes and systems in place to be able to make a timely, informed decision?