Since the GDPR took effect, a large number of personal data breaches have been reported across Europe, with major data breaches reported in the UK and Ireland. British Airways, Marriott International, Equifax , WhatsApp and Facebook are only a few examples of the investigatory action taken by the Irish and British Data Protection Authorities (DPAs). But data breaches, i.e., security incidents involving personal data, do not exclusively concern large corporations. Small and medium enterprises may also suffer from such incidents without the necessary mechanisms in place.
In this blog, we look at the guidance released by the UK’s National Cyber Security Centre (NCSC) to help small to medium-sized organisations prevent and plan their recovery from a cyber incident, malicious or accidental. We highlight the takeaway messages from this guidance and bring our data protection insights too.
1) Identify critical systems and assets
You should identify the necessary and critical personal data assets for your business, such as contact details and employee data alongside the business processes and systems in use, including their storage and access points. In this context, it is also important to identify and map the flow of the personal data within and outside your organisation. Documenting data input and output could reveal vulnerabilities in the data processing chain (at rest and in transit) and record all the actors with access and processing rights, such as processors.
For new systems, it is important to take the data protection principles into account from the outset (data protection by design), especially data minimisation and storage limitation. If the intended data processing activities raise major cybersecurity concerns, you should also conduct a data protection impact assessment (DPIA) and design the appropriate risk-mitigating measures against cyber threats.
2) Integrate risk management into your business routine
Both physical and cyber threats must be considered as part of your business risk. Data Protection is more about minimising and managing risks than eliminating them. You should review the cybersecurity measures in place, update and tailor them to your needs and vulnerabilities. For example, creating a backup copy of essential information is a necessary step, but the data retention period and the regularity of the back-up depend on the nature and size of your data processing activities. Regarding cyber insurance, NCSC highlights that this is an additional resource, but it will not protect you from an attack.
3) Design an incident plan
An incident plan should detail the necessary steps to safeguard personal data and resume business. This plan should involve all levels of employees. For example, you should assign roles to members of staff, and document who owns each responsibility in the event of an incident.
4) Be cyber aware and vigilant
Cyber training should be part of your core data protection employee training. Employees should be trained to trace cyber threats and alarms, such as loss of access to files and unusual account activity.
5) Cyber recording
To resume your business operations, it is necessary to activate your incident plan and implement proportionate and effective measures, such as changing passwords, replacing infected hardware and restoring services through backup.
Once business operations have been restored, you should log all incidents for future reference and consideration. Your vulnerabilities should be used as case studies for improvement. In addition to this, the data protection principle of accountability requires you to document and demonstrate your compliance with data protection law, including how you manage data breaches.
6) Notification obligations and publicity
The NCSC advises that you should formally report this cybersecurity incident to both internal and external stakeholders, once it has been resolved. Moreover, given that a cyber attack is a crime, you should consider notifying law enforcement via Action Fraud or through Police Scotland’s 101 call centre. In case of personal data breaches, you should liaise with your Data Protection Officer (DPO) and seek assistance whether this incident should be notified to the responsible DPA and the affected data subjects.
A quick guide on cyber measures
The principle of security is enshrined under Article 5(1)(f) GDPR and specified in Article 32. Article 32 also extends the application of this principle to processors. Although the GDPR does not name the appropriate measures, it provides key metrics and aims. Indeed, you should consider the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The above steps help you identify where greater risks lie and apply enhanced measures. This means that you should map, review and assess your supporting assets, systems and infrastructure to identify potential and remote threats to the integrity, availability and confidentiality of the personal data held by your organisation.
Trilateral’s advisors can help you review your processes and systems and support you in handling cyber and offline data protection threats.