Understand the impact of a data breach on your organization, learn how to recognize a breach and security measures to reduce risk of one happening | Prighter
Blog
Picture

Data breaches: why they matter and how to prepare

Women called Charlotte in a pantsuit. Elif Merve Demir

Charlotte Mason, Elif Merve Demir

Data breaches can have significant, sometimes devastating, consequences for the individuals whose data has been affected, which is why the GDPR puts such emphasis on securing personal data and reacting fast when a breach is detected. They can also have damaging financial and reputational consequences for your organization, making it important for your business to be ready to quickly identify a personal data breach and mitigate the damage it may cause. This guide is designed as an introduction to the topic of personal data breaches in respect of the EU and UK GDPR. It looks at the types of data breaches that occur and why, what steps organizations can take to keep data secure and reduce the risk of breaches and what you need to do in the event of a data breach.

Security Incident vs Personal Data Breach

It is important to be able to identify when a personal data breach may have occurred. Both a security incident and a personal data breach happen due to a compromise to the confidentiality, integrity or availability of information. With a security incident this can be any information, including financial information, commercially sensitive data or health information. A personal data breach, however, specifically affects personal information as defined by the relevant legal framework. Under the GDPR, a data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’’. The critical point here is that while all breaches qualify as incidents, not every incident will amount to a personal data breach.

How might a data breach occur?

Understanding the types of data breaches can help organizations better prepare and respond to these risks. Data breaches are often occur accidentally, for example by an employee mistakenly sending information to the incorrect recipient, inadvertently clicking on a malicious link, losing a device with stored data on it or misconfiguring a security setting in a system. Most commonly, poor password practices, lack of software patches, and a general lack of cybersecurity awareness will be the problem. Another common type of breach is a malicious breach which can involve either external threats or internal culprits. These breaches use tactics like hacking, phishing, and ransomware to exploit vulnerabilities. For example, phishing emails may steal login credentials, or malware could capture keystrokes. Such breaches are usually more damaging, with attackers aiming for financial gain or harm to the organization. Unauthorized or accidental disclosure of or access to personal data is known as a confidentiality breach. An unauthorized or accidental alteration of data is deemed to be an integrity breach. Where data is accidentally or intentionally lost or put out of reach, this is known as an availability breach. One incident can amount to one or more types of breach. An act of god such as a fire or flood can also result in a data breach.

Why care about data breaches?

Understanding the implications of data breaches is crucial for any organization handling personal data. Failing to prevent or address breaches adequately can lead to severe consequences across various aspects of your business and for the individuals affected. In this section we look at why safeguarding against data breaches should be a priority.

Harm to Individuals

Data breaches can directly impact the lives of the individuals concerned. It is more common to think about financial implications caused by activities such as fraud, identity theft, and unauthorized transactions. However, the exposure of sensitive personal data such as health information can have devastating social implications for individuals such as discrimination or the breakdown of relationships. Breaches therefore have the potential to cause significant material and emotional distress to those whose data is compromised.

Regulatory Penalties (e.g. fines)

Data protection laws impose heavy penalties for non-compliance. Under the EU GDPR, fines can reach up to €20 million or 4% of an organization’s annual global turnover. Similarly, UK GDPR imposes fines of up to £17.5 million or 4% of global turnover. These substantial penalties serve as a powerful motivation to uphold strict data protection standards.

Reputational Damage

A data breach can significantly harm an organization’s reputation. Erosion of trust is a primary risk, as customers may lose confidence in your ability to protect their data, leading to reduced loyalty. Additionally, negative publicity from media coverage can damage brand image, deterring potential customers. Rebuilding a tarnished reputation requires time and resources, making it a costly consequence of a breach.

Compensational Claims

Organizations face the risk of legal costs when affected individuals pursue compensation, which can result in significant legal fees and payouts. Taking on compensation claims is also a costly and time-consuming endeavour, especially since it detracts from business as usual.

Business Interruption

Breaches can lead to operational disruption, leading to downtime and reduced productivity. Such incidents may lead to service delays that could impact an organisation’s reputation, and ultimately revenue. If the breach causes disruption for an extended period of time, this could impact the revenue and turnover of an organization.

What are you expected to do to prevent a breach?

Preventing data breaches is essential to comply with UK and EU GDPR requirements, as outlined in Article 32, which mandates that organizations implement robust security measures to protect personal data. Effective preventive steps help reduce security risks, protect personal data, uphold trust, and maintain regulatory compliance. Here we consider what activities a business can do to prepare for and reduce the likelihood of a breach occurring.

Risk Assessment

Regular risk assessments are essential for identifying and mitigating potential threats to data security. These assessments involve evaluating the risks associated with data processing, identifying vulnerabilities, and developing strategies to address them proactively. By regularly examining risk areas, organizations can adapt to new threats and ensure that their security measures remain effective in preventing breaches.

Data Encryption and Pseudonymisation

Data must be secure when it passes over the network and when it is stored, and encryption can be a key component for safeguarding data. This safeguard ensures that intruders can’t access private data. The second safeguard is pseudonymisation, which obscures identifying information, making it very difficult for a user who doesn’t have authorisation to link the data back to a particular person.

Access Controls

Limiting data access to authorised personnel is key to minimising exposure to sensitive information. Role-based access means that sensitive data can be stored in a way so that users can access only what is needed for their jobs. Another benefit of limiting access in this way is reducing the chances that an accidental leak to other employees could expose data within the organisation that should remain confidential.

System Resilience

Resilience also plays a key role in data security. Situations may arise where there is an unexpected disruption and a system will need to bounce back. A well-designed system will be able to recover in the event of a system failure or incident like data corruption. Ensuring systems are backed up regularly is also a key component of maintaining good data security. This means that, should something go wrong, the data can be retrieved from the backups keeping the work processes as seamless as possible. This also helps in the event of a breach where it might be possible to rectify the incident and keep it from progressing further.

Testing and Monitoring

Regulator testing – such as thorough vulnerability scanning or penetration testing – should occur regularly so that organizations can find areas that need to be patched up and do so before there is an issue. Monitoring the systems should also be a routine occurrence to ensure if something is happening that shouldn’t be, it can be addressed before it becomes a breach.

Data Protection by Design and by Default

Making data protection a part of the beginning of business processes means that data security isn’t an afterthought but a part of the initial framework. The processing of only the minimum amount of personal data occurs by default, and this results in less unnecessary exposure of personal data to unauthorised parties, and fulfils the principles of GDPR. This not only encourages compliance from the beginning, but it also results in improved security.

Incident Response Planning

A good incident response plan enables a quick and efficient response in the event of an incident by outlining the steps needed to contain it. This results in less damage, maintains trust, and allows the organization to recover more quickly.

Managing your supply chain

If they engage third-party processors to process personal data on their behalf, controllers must ensure that such processors are GDPR compliant. Under the EU GDPR and the UK GDPR, processors must carry out several key obligations, most notably regarding breach notifications and communications between controllers and processors. Such obligations must be reflected in a controller’s contractual documentation with their appointed processors. These agreements should outline the procedures processors must follow in case of a breach, including prompt notifications to the controller and any necessary pre-investigation or pre-assessment steps.

Responding to a Data Breach

Businesses need to take action immediately after the data breach is discovered in order to minimize harm and stay in line with GDPR. Taking action prevents data and identity theft by reporting to authorities within 72 hours as Article 33 requires, and informing those affected when needed as Article 34 requires. Having prompt reactions also reinforces business credibility and customer trust, showing the dedication to data security. It allows businesses to protect the rights of individuals and re-establish normal operations very quickly. For further details on how to effectively respond to a breach, please refer to the article What to Do If a Breach Happens?

Notification

Following a data breach, organizations must notify the right people so that they can comply with the requirements of the EU GDPR and UK GDPR including the strict timelines and processes for making such notifications. Organizations, especially those in regulated sectors, also need to consider whether there are any additional notification requirements that they need to comply with, for example in the banking and healthcare sectors.

Follow up steps

  • Understand what personal data your organization processes and the risks associated with it, especially sensitive personal information and financial data
  • Minimize the data your company holds to only what is relevant and necessary to reduce the volume of data that may be exposed in the event of a breach
  • Review security measures and do not underestimate the importance of staff training
  • Have the right team of people in place to be able to respond fast if a breach occurs
  • Understand the notification requirements applicable to the data you process and the countries you operate in
  • For organizations without an establishment in the EU or UK, make sure you have appointed an EU/UK representative to assist you in the event of a breach

Understanding and preparing for data breaches is essential for protecting both individuals and organizations. The GDPR provides a robust framework to prevent, detect, and respond to breaches swiftly, minimizing harm and fostering trust. By implementing preventative measures, ensuring third-party compliance, and having a well-structured response plan, organizations can mitigate risks and safeguard personal data effectively.