Practical tips to be breach (not beach) ready

Mario I. Velasco BuenoMario I. Velasco Bueno
Written by
Mario I. Velasco Bueno
and
-
May 2, 2024

Loved this article? Share it with your network:

There are many articles about what a data breach is in different jurisdictions, when to report them to the authorities or other notification requirements, including to people (or data subjects as we like to say in GDPR countries).

I want to focus on very practical tips that will help you in the event of a data breach. I hope In-house privacy professionals (often lone wolves) welcome this approach.

1.  ROPAs (also called Records of Processing Activities):

Yes, you read it well. Having a proper ROPA will massively help you. This is because if you get compromised but don’t know what exactly has been compromised, you won’t be able to know if it’s a data breach or whether it meets the thresholds for notification. Investigations will be harder.

2.  Take retention periods seriously.

The less personal data you have, the better.

Do you imagine telling regulators about a breach involving all employee records for the last 20 years? Exactly, you don’t want to be that company.

This will also help you with access and deletion requests. I was talking to a company that received the typical access request from a disgruntled employee.

Can you guess what they did right after this? They reduced retention periods on communication channels to 1 month. The next headache will be a reduced one.

3.  Draft an Incident Response Policy.

You need to know in advance what you will do, when and who will be in charge of what. These situations are stressful. The more clarity, the better.

Every company will be different, but these are a few considerations for the Incident Response Policy:

a.  Create a register for security incidents, including when you consider them a data breach.

b.  Involve your legal department while drafting this policy. You really want to ensure that legal privilege is preserved as much as possible. In some jurisdictions, you can consider restricting the communication channels, copying your lawyer and label them as “confidential and legally privileged”. Selecting who will be involved is also crucial as you may lose legal privilege if you invite the wrong people.

c.   Let the lawyers (if you have them) lead the investigation. If it becomes obvious that it may be a serious breach, involve expert lawyers as soon as possible. I would be careful with letting the Data Protection Officer lead the investigations. This is not part of their GDPR duties (strictly speaking) and DPO advice is not legal advice, which means you may be increasing risks unnecessarily by receiving “advice” which is not covered by legal privilege. Of course, you will need to involve the DPO (if you have one) at some point so they can fulfil their duties.

d.  Lessons learned: after every breach have a quick session to see how you can improve the process. There is always room for improvement.

4.  Pre-select a law firm to deal with data breaches.

You don’t want to be looking for a law firm during a data breach. Ensure you have done your research first and that they can deal with the jurisdictions that you need. Some of them would be able to coordinate data breaches that are notifiable in the US and EU, for example.

A good law firm would also have recommended vendors to deal with cybersecurity investigations, public relations, extra help for customer service, or even negotiations with hackers.