It didn’t take long after 25° of may before the first breach notifications or questions cam trough. An generally that’s a good thing for the data subject. Let’s all be happy about this…. as long as i didn’t happen in my organisation. First thing that is the same for all breaches: ‘where do we start’. And that is a general question that we have seen in almost all of the cases. Where do we start…
As you all know, not every breach has the need (obligation) to be reported to the authority or Data Subject. There are some clear rules about that. Yeah? is it? Yes, some clear legal rules that if the Privacy of the subject is at risks, you should report. And in practice, what does that mean? Is my Privacy at risk if you leak an xls with my name? No? Might be, imagine that you are a union and the list is the membership list.. Already a different story. So what is clear in a legal perspective, isn’t always on operational level. And lest be honest, we stil live at the operational level and not at the legal level.
So you see, already from the start simple questions popup that have often a difficult answer. How do you deal with it?
If we go thought and assume the breach needed to be reported, how do I do this AND what are the risks. 72h we get to report to the Data Subject, the Authority or both, not mush. If you know that, according to my own estimations, forensics take weeks even months (first proces of selecting, having budget, than planning, gathering information, evaluating, making conclusions, get a second check, send out a draft report, adjust with new findings,….) what can you report these first 72h.
Be sure, you don’t want to tell too mush, and for sure nothing that isn’t truth. Let’s say that you are proactive and warn them you entire database is hacked and they could have all information (maybe even sensitive info), and than, days (maybe more) later you come back that only names and email addresses where breached.
My first reaction would be, ‘do they actually know what they are doing in their security department’?
To conclude, there mush room for error in this process and not mush of the breaches are the same. So apart from the thin line that you balance on, there is the complexity that every breach is again a little bit different and new. In the best case, you own DPO doesn’t have a idea where to start. This at least indicates that you never suffered a data breach, But having this limited time, with a new process or challenge and the damage (mostly on reputation) that can be done to the organisation, makes you consider whether this is the time to have external assistance.
There is no shame on doing the first breach guided by experienced specialists. ‘Better safe than sorry’ the quote goes. In this case, more that the trut.