Practical guidance for responding to data breaches
More and more often, administrative penalties imposed by the President of the Personal Data Protection Office (UODO) result from negligence in identifying a personal data protection breach (e.g. the recent penalty imposed on MoneyMan.pl and the Medical University of Silesia). The new EROD guidelines (currently under review) are intended to help data controllers determine when to report a breach to the supervisory authority and to inform data subjects. They also include a set of recommendations on how to prevent breaches from occurring.
The guidelines focus on the most common breaches, which include ransomware attacks, theft of data from IT systems, loss of devices or data storage, and human error.
How to respond to data breaches?
- The authors of the guidelines advise to prepare well in advance for a potential data breach. An internal instruction manual containing a course of action may be helpful, so that the administrator’s employees know what steps to take in order to minimize the consequences of the breach.
- Having identified a data breach incident, the controller should immediately start analysing whether it poses a risk of infringing the rights or freedoms of individuals, and if it does – to notify the President of the Personal Data Protection Office (UODO). A notification of a breach should not be delayed until the investigation of its causes has been completed or measures have been taken to mitigate its effects.
- The deadline for notification is 72 hours maximum, but in case of high-risk violations, delaying notification until the end of the deadline may be considered unsatisfactory.
How do you protect yourself from data breaches?
- Human error is difficult to eliminate. Staff training and clear guidelines for handling personal data can help – especially when it comes to sending correspondence and sharing data on IT systems. Sometimes simple actions such as setting up an email box to delay sending messages can improve data security.
- Portable devices (such as flash drives) are not a good place to store sensitive data. If a controller uses such devices, they security can be improved by using encryption, passwords, privacy filters or programs that allow remote deletion of data, and by giving clear guidelines for staff on the use of such devices inside and outside the company.
- The controller should create backups of data processed in IT systems and secure them properly. A well prepared backup system reduces the risk of losing data availability.
- IT systems should be tested regularly to detect possible irregularities.
- There should be an adequate level of identity verification when registering to IT systems and a password policy.