Data Breach Response
Companies across the UK are acknowledging the benefit of arming themselves with the security essential to mitigate any harm brought about by cyber crime, however the emphasis so far has been on safeguarding information by protecting against data breaches. Nevertheless, as a consequence of the growing and unpredictable risk environment, it’s just a matter of time before all companies will experience a security breach.
The current inescapable fact is that simply developing an effective data breach response strategy is no longer optional. Organisations that aren’t ready to react to a security breach are only going to intensify any affect the attack creates and the ultimate after effects, which may cause significant impact on its reputation and financial well being.
Reaction & Management
Strategy
As the quantity of cyber attacks and incidents grow, corporations have got to establish a data breach response strategy that maps the crucial steps to take and for the employees to action in the event of a security breach.
Universal
The appropriate reaction and management of incidents is of vital importance for all businesses, no matter what size or sector, whether manufacturing, service or construction industry, public and private sector.
Mitigate Damage
Security breach response, is the traceable, beneficial and an intelligent methodology to managing an attack from both an internal or external source that has breached your safeguards. It is a strategic approach to managing the incident with the objective of restricting damage, decreasing recovery time and costs whilst revealing the route the aggressor has used to ensure that it can be sealed and protected.
The Cybata Difference: Focus, Trust & Insight
Our security breach department is composed of knowledgeable breach response investigators and security professionals who possess insights that have been accumulated over years of security appointments in both private and public sectors. Our agency is exact, confidential and well prepared to supply data breach response services, regardless of the circumstances your company may encounter.
If you’re still uncertain how to proceed about, or which of our services are most suitable to your particular requirements, chat to one of our Cyber Security experts today.
Data Breach FAQs
How do you report a personal data breach?
A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Data processors must notify the data controller without undue delay after becoming aware of a personal data breach.
Data controllers must notify the supervisory authority (the ICO (Information Commissioner’s Office) in the UK) without undue delay when they become aware of personal data breaches that are likely to result in a risk to data subjects’ rights and freedoms.
Where feasible, this must be done within 72 hours. Failure to do so could leave you facing administrative fines of up to €10 million or 2% of annual global turnover – whichever is greater.
Data controllers must also notify data subjects without undue delay if there is a high risk to their rights and freedoms. Note that, if the breached data is anonymised or encrypted to the extent that it is no longer possible to identify data subjects, there is no risk, and no notification is required.
According to Article 33, data controllers must provide the following information to the supervisory authority:
- A description of the nature of the personal data breach including, where possible, the categories and approximate number of individuals concerned, and the categories and approximate number of personal data records concerned;
- The name and contact details of your DPO or other contact point from whom more information can be obtained;
- A description of the likely consequences of the personal data breach; and
- A description of the measures you have taken, or propose to take, to deal with the breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
If you don’t have all the information to hand within 72 hours, don’t worry: the GDPR allows you to provide the information in phases, although you must provide an explanation for the delay.
You can notify the ICO either by calling its helpline or by completing an online reporting form.
What rights does the GDPR grant for the EU Residents?
Initially, the only way companies can have access and control over any data is by consent. Then, the subject of that data have three main rights granted:
Right to access: Every EU resident has the right to know what personal data any company is holding and/or processing, by request.
Right to erasure: Every EU resident has the right to require the deletion of all the data – which it has granted access – held or processed by any company.
Right to data portability: If a data subject wants to change to a new service provider, it can ask for the former to send all its personal data its data to the new one in a standard, machine-readable format.
Does my organisation need to register with the ICO under the GDPR?
Every organisation or sole trader that processes personal data must register with the ICO (Information Commissioner’s Office) – unless all the processing they carry out is exempt – and pay an annual fee.
The fee you pay depends on your size and turnover:
- Tier 1: micro organisations (with a maximum annual turnover of £632,000 or no more than 10 employees) must pay £40 per year.
- Tier 2: small and medium-sized organisations (with a maximum annual turnover of £36 million or no more than 250 employees) must pay £60 per year.
- Tier 3: large organisations (those that do not meet the criteria for tiers 1 or 2) must pay £2,900.
Some exemptions apply.
Can GDPR compliance be automated?
It would be very difficult, if not impossible, to automate GDPR compliance. There are so many variables at each stage of the process. We always recommend that organisations seek tailored advice to ensure their own processes are compliant; after all, each businesses has its own organisational structure, personnel and systems.
What does “Secure by Design” mean in relation to Data Protection and GDPR?
A process inside the company or a software developed or purchased by the company will be “secure by design” when, in the process of its development, data protection was taken as a key aspect and requisite, and all the data that goes through it can be tracked, the processing is understandable and under control and has tools that grant the rights of access, deletion and portability for data subjects.
What is the difference between Personal and Sensitive Data?
Personal data is referred to any information related to the data subject, that can be used to directly or indirectly reveal his/her identity.
Sensitive data is referred to the information related to the data subject’s fundamental rights, intimacy, and free will. Examples of these are health records, religious beliefs, political opinion, biometric data or genetic data.
What are the Penalties for GDPR non-compliance?
There are two levels of GDPR fine:
Lower level of GDPR penalties
Fines of up to £8.7 million under the UK GDPR, €10 million under the EU GDPR or 2% of annual global turnover can be issued for infringements of articles:
- 8 (conditions for children’s consent);
- 11 (processing that doesn’t require identification);
- 25 – 39 (general obligations of processors and controllers);
- 42 (certification); and
- 43 (certification bodies).
Higher level of GDPR penalties
Fines of up to £17.5 million under the UK GDPR, €20 million under the EU GDPR or 4% of annual global turnover can be issued for infringements of articles:
- 5 (data processing principles);
- 6 (lawfulness of processing);
- 7 (conditions for consent);
- 9 (processing of special categories of data);
- 12 – 22 (data subjects’ rights); and
- 44 – 49 (data transfers to third countries or international organisations).
How are GDPR fines calculated?
GDPR fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”.
Any fine you might receive will depend on:
- The type of infringement, how severe it was and how long it lasted;
- Whether it was deliberate or accidental;
- The action you took to reduce the damage to individuals (data subjects);
- Your security measures;
- Whether this is your first GDPR infringement;
- How cooperative you were when fixing the issue;
- The types of personal data involved;
- Whether you notified the supervisory authority yourself; and
- Whether you adhere to any approved codes of conduct or certification schemes.
Cybata introduces, informs and supports your enterprise in compliancy with the European General Data Protection Regulation (GDPR), protection against cyber crime and various other potential security breaches.
Company registration number: 09734419
Country of registration: United Kingdom
VAT number: 289 3645 49