Learn how to assess and report data breaches under GDPR in this article. Find out what steps and factors to consider when notifying authorities and data subjects.

In my experience the most difficult component to identification is understanding what data may have been exfiltrated when evidence of comprise is discovered. DATA FLOW DIAGRAMS ARE CRITICAL During breach identification, having accurate data flow diagrams enables you to quickly assess the sensitivity of different assets and allows you to set up proactive detection alerts on anomalous traffic

One of the main steps while responding to a data breach is writing a Forensic Incident Report. Here are some of its essential elements: 1. Brief description of the incident. 2. Start and end times. 3. Where it took place. 4. List of affected systems, networks, or data. 5. Incident Type. 6. Timeline detailing the incident's progression and response. 7. What evidence was collected, how, and its relevance. 8. Results of the forensic analysis, including indicators of compromise, origin of the attack and exploited vulnerabilities. 9. Analysis of the incident's impacts on the organization. 10. Immediate actions to contain current threats. 11. Long-Term recommendations to prevent similar incidents. 12. Relevant logs. 13. Any additional evidence.

How do you assess the risk of a data breach under GDPR?

Data breaches are a serious threat to any organization that handles personal data of EU citizens. Under the General Data Protection Regulation (GDPR), you have a legal obligation to report any data breach that poses a risk to the rights and freedoms of the affected individuals within 72 hours of becoming aware of it. But how do you assess the risk of a data breach under GDPR? In this article, we will explain the key steps and factors to consider when performing a risk assessment and notifying the relevant authorities and data subjects.

1 Identify the breach

The first step is to identify the breach and determine its scope, scale, and impact. A data breach is defined by GDPR as any unauthorized or unlawful access, disclosure, alteration, loss, or destruction of personal data. This could be caused by malicious attacks, human error, technical failure, or natural disasters. You should document the breach and collect as much information as possible, such as the type and amount of data involved, the source and cause of the breach, the date and time of the incident, and the potential consequences for the data subjects and your organization.

Add your perspective

Alexander Feng

CEO - Business Agility & Compliance Assurance
(edited)
Report contribution
In my experience the most difficult component to identification is understanding what data may have been exfiltrated when evidence of comprise is discovered. DATA FLOW DIAGRAMS ARE CRITICAL During breach identification, having accurate data flow diagrams enables you to quickly assess the sensitivity of different assets and allows you to set up proactive detection alerts on anomalous traffic

Like
Cherian Thomas

Cyber & Corporate Security Leader | CISSP | Engineering | GRC | Risk | Privacy | CMMC | Advisor | Mentor
Report contribution
In my experience the analysis phase is the most critical phase to get the review and next steps correct. If the company has good data classification model implemented its a bit easier to access. Some things to analyze : - classification of data - amount of data attributes - number of subjects impacted These decide the impact of the breach and controls to implement.

Like
Dirk Moltzen

Dein Datenschutzpartner 🛡 Deine Kundendaten - meine Mission. Gemeinsam die Komplexität der DSGVO mit Leichtigkeit meistern. Maßgeschneiderte Lösungen für Unternehmen & Soloselbstständige
Report contribution
Der Faktor Mensch führt immer wieder zur Offenlegung von Daten. In der Regel sind es Bedien- oder Speicherfehler. Falsch hinterlegte Faxnummern oder falsch zugestellte Dokumente. Bei digitalen Dokumentationen z.B. Pflegedokumentationsprogrammen für Pflegedienste, wurden Ärzte und Apotheken falsch zugeordnet. Hier muss sehr genau kontrolliert werden und in der Einführungsphase mehr unterstützt werden. Die Zusammenarbeit mit dem Qualitätsmanagement hat sich als sehr sinnvoll erwiesen, ebenso regelmäßige Update-Besprechungen zur Sensibilisierung der Mitarbeiter und der Geschäftsleitung.

Translated

Like

2 Assess the risk

The next step is to assess the risk of the breach to the rights and freedoms of the data subjects. This means evaluating the likelihood and severity of the harm that could result from the breach, such as identity theft, fraud, discrimination, reputational damage, or psychological distress. You should consider factors such as the sensitivity and context of the data, the number and characteristics of the data subjects, the nature and extent of the breach, and the effectiveness of any security measures or mitigation actions taken. You should use a consistent and objective method to measure and rank the risk, such as a matrix or a scale.

Add your perspective

Kevin Else CISA
Report contribution
Assessing the "severity of the harm" can be really difficult. Always assume that it will have a dramatic effect and then prove the opposite, rather than the other way round. The release of an email address in itself may not seem to much of a risk, but what if the mailbox was only used for a specific purpose, such as contacting a support worker when in an abusive relationship. As well as the risk to a person there is also the risk to the business to consider. Again it is better to assume the worst then justify to yourself why that is not the case. You will potentially have to pass this information to the authorities, so be clear on your justifications as to why it is not a risk

Like

3 Notify the authority

If you determine that the breach poses a risk to the rights and freedoms of the data subjects, you must notify the supervisory authority in the country where your organization is established or where the breach occurred within 72 hours of becoming aware of it. You should provide a detailed description of the breach, its impact and consequences, the measures taken or planned to address and prevent it, and the contact details of your data protection officer or other representative. You should also cooperate with the authority and follow its guidance and instructions.

Add your perspective

4 Notify the data subjects

If you determine that the breach poses a high risk to the rights and freedoms of the data subjects, you must also notify them without undue delay. You should inform them of the nature and scope of the breach, the potential harm and implications, the steps taken or planned to remedy and prevent it, and the contact details of your data protection officer or other representative. You should also advise them of their rights and actions they can take to protect themselves, such as changing passwords, monitoring accounts, or contacting authorities. You should use clear and plain language and choose an appropriate communication channel, such as email, phone, or post.

Add your perspective

5 Review and improve

The final step is to review and improve your data protection policies and practices to prevent or minimize the risk of future breaches. You should conduct a thorough analysis of the root causes and contributing factors of the breach, identify and implement any corrective and preventive measures, monitor and evaluate their effectiveness, and update your risk assessment and data protection impact assessment accordingly. You should also train and educate your staff and stakeholders on data protection principles and best practices, and ensure compliance with GDPR and other relevant laws and standards.

Add your perspective

6 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

Add your perspective

André H. Paris

Professor, Speaker, Privacy & Compliance Consultant
Report contribution
One of the main steps while responding to a data breach is writing a Forensic Incident Report. Here are some of its essential elements: 1. Brief description of the incident. 2. Start and end times. 3. Where it took place. 4. List of affected systems, networks, or data. 5. Incident Type. 6. Timeline detailing the incident's progression and response. 7. What evidence was collected, how, and its relevance. 8. Results of the forensic analysis, including indicators of compromise, origin of the attack and exploited vulnerabilities. 9. Analysis of the incident's impacts on the organization. 10. Immediate actions to contain current threats. 11. Long-Term recommendations to prevent similar incidents. 12. Relevant logs. 13. Any additional evidence.

Like

Load more contributions

How do you assess the risk of a data breach under GDPR?

1

2

3

4

5

6

1 Identify the breach

2 Assess the risk

3 Notify the authority

4 Notify the data subjects

5 Review and improve

6 Here’s what else to consider

Information Security

Rate this article

Thanks for your feedback

More articles on Information Security

More relevant reading

How do you assess the risk of a data breach under GDPR?

1

2

3

4

5

6

1 Identify the breach

2 Assess the risk

3 Notify the authority

4 Notify the data subjects

5 Review and improve

6 Here’s what else to consider

Information Security

Rate this article

Thanks for your feedback

Explore Other Skills