GDPR: What To Expect When You’re Breached

You’ll notice I said ‘when’, not if, because if you have personal data online you will, eventually, be breached in some way.

I know this because the GDPR’s definition of ‘personal data breach‘ (Art. 4(12)) does not just mean ‘hacked by a bad guy’, it means: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;”. This therefore includes every unauthorised action that happens to the data, including the inevitability of human error. Nothing malicious, just a simple mistake, but it’s still a breach.

So if you accept that a breach IS going to happen at some point – and if you don’t you might as well stop reading – you’ll want to know what to expect from your supervisory authority (SA) should the breach meet the criteria for notification (Art. 33).

In September 2018 the UK’s ICO released ‘A guide to ICO audits‘ as part of their Audit and Advisory service. In it they detail what you can expect from one of these ‘voluntary’ assessments, but I think it’s fair to say that the methodology can be extrapolated to what a post-breach audit would look like. It will just be a matter of degree.

Given the requirement for ‘cooperation’ and ‘mutual assistance’ (Arts. 60 and 61 respectively), I think it’s also fair to assume that the other EU member states will do / are doing much the same thing.

Audit/Advisory assessments will take one of the following forms:

  1. Voluntary – The ICO runs a entirely voluntary program where you can request an assessment from them to determine if your current practices meet regulatory requirements. If not they’ll provide you guidance to get there;
  2. Consensual – Based on a number of risk factors (e.g. size/type of organisation, industry sector, complaints received etc.), the ICO may come to you and ‘request’ your cooperation; and
  3. Compulsory – The ICO has enough ‘intelligence’ to consider your processing a high risk and will give you no choice.

Assuming you aren’t stupid enough be in the position where the supervisory authority makes the audit compulsory (which they can per Art. 58(1)(b)) and you have instead agreed ‘consensually’ to it, this is a high-level summary of what the ICO say the audit will look like:

  1. Initial Contact:
    • introductory meeting / conference call;
    • letter of engagement / agenda;
    • scope agreement;
    • timescale agreement;
  2. Evidence Gathering / Prerequisites:
    • documentation review (e.g. relevant policies, procedures, asset and registers, training standards etc.);
    • interview of key personnel;
    • operational records (e.g. contracts, 3rd party SLAs, training records etc.)
  3. Onsite Audit:
    • meeting with senior management;
    • key staff interviews;
    • inspection of select data processing flows;
    • testing of relevant controls;
    • closeout meeting with all key stakeholders
  4. Breach Incident (if applicable):
    • if the SA determines that a breach has occurred they will explain the required next steps
  5. Reporting:
    • draft report (after 10 working days);
    • response with auditee’s ‘acceptance’, ‘partial acceptance’, or ‘rejection’ of findings;
    • final report
  6. Publication:
    • For ‘voluntary advisory’ this will be a simple statement of: “The ICO has carried out an advisory visit with XXX” (this is good);
    • For ‘consensual audit’ this will include the Executive Summary from the final report (this could be very bad)!
  7. Follow Up:
    • 6 – 9 months after final report a mitigation status is required primarily on the scope areas and recommendations that were deemed “limited” or “very limited” (assume this is just for the consensual audits unless the advisory audit showed some significant deficiencies).

What will this audit look like from a far more serious post-breach perspective? For a start the audit will be compulsory regardless of how they heard about it, and if you are not only capable of, but proactive in, providing the below this will automatically count against you. These are my assumptions:

  1. Initial Contact:
    • you notify the ICO of the data breach, or
    • the ICO contacts you because they know there’s been a breach;
  2. Evidence Gathering / Prerequisites:
    • latest detail of the breach and updated estimation of risk/impact to data subject’s ‘rights and freedoms’;
    • initial findings of the forensics team if breach was technical in nature;
    • details of what you’ve done so far to mitigate the damage to data subjects;
    • all of the documentation required in the voluntary audit but this is likely to go significantly deeper and include things such as your records of processing, documented lawful bases for processing, DPIAs (if relevant), security controls and so on;
  3. Onsite Audit:
    • meeting with senior leadership (e.g. CEO/BoD);
    • key staff interviews;
    • deep inspection of relevant data processing flows;
    • detailed testing of relevant controls;
  4. Reporting:
    • draft report;
    • auditee’s response, but [assume] without the choice to partially accept or reject;
    • final report;
  5. Publication:
    • Enforcement Notice – details of all the things you did/didn’t do leading up to the enforcement notice; and/or
    • Monetary Penalties – details of how much you were fined and why; and/or
    • Prosecutions – this is usually a named individual (10 of 13 in the last year)!;
  6. Follow Up:
    • depending on the details of the breach this will vary considerably.

Ideally every organisation in the EU would undergo a voluntary audit in preparation for a breach, but this is clearly both unwarranted (in terms of risk) and logistically impossible. For a start, the supervisory authorities simply don’t have the resources, and even if they did, the overwhelming majority of organisations know they’re not prepared and do not want to draw attention to themselves.

In the UK, a grand total of 69 organisations have received a voluntary audit since March 2018, and 57 have ‘consensually’ agreed to one. I really don’t see these numbers growing significantly.

But you don’t need the ICO to conduct this audit, as all of the requirements to conduct your own are written down for you. It’s called the GDPR, and there’s enough free information out there to work it out for yourself.

Failing that, there are literally hundreds of people who can perform one on your behalf. The ICO have basically stated that professionals with ISO 27001 Lead Auditor experience have the necessary auditing background to do so with some additional training in data protection/privacy. I assume the preference would be those with proven privacy experience and possibly certifications (NOT including ‘Certified GDPR Practitioner’).

From ‘A guide to ICO audits‘:

Are the team qualified?
The ICO audit team all undertake internal audit training on induction, and thereafter may take or work towards the ISO27001:2013 Information Security Lead Auditor qualification, which is the industry standard for information security.

There’s even an additional standard that you can add to ISO 27001/2 to supply the necessary privacy control requirements; it’s called ISO 27701 – Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines.

At most this assessment would be a few days exercise, and the benefits would be significant:

  1. you actually got started on GDPR compliance, which from an appearance perspective is still seen as a good thing;
  2. you will have an indication of your most egregious gaps, which goes hand-in-hand with your business risk;
  3. the next steps toward GDPR compliance will become immediately obvious;
  4. the necessary change to your company culture can finally begin;
  5. you’re obeying the LAW!

I know I’m biased, but I cannot think of ONE reason why every organisation is not making effort to achieve GDPR compliance. Clearly they enjoy gambling more than I do.

[If you liked this article, please share! Want more like it, subscribe!]

One thought on “GDPR: What To Expect When You’re Breached

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.