Last 90 days before a privacy incident | PrivSec Global live stream summary
by Sypher - May 25, 2023
In “Preparing for a privacy incident: last 90 days before it happens”, a densely-packed and informative 30-minute live stream at PrivSec Global May 2023, the panel of experts provides valuable insights and practical advice on how you can effectively prepare for privacy incidents, mitigate risks, and maintain compliance.
π§π» We’ve summarised, adapted, and organised the transcript to present a concise written version that captures the key points and insights shared by the panelists.
Meet the speakers
The moderator of this PrivSec Global live stream:
βοΈ André H. Paris — CIPM, CCEP-I, Managing Partner, Fakos – Data Privacy & Compliance Consultancy. André is a Brazilian Privacy and Compliance Expert, Professor and Lawyer, and author of the book “Ethics and Transparency - A Path to Compliance.”
The panelists:
ποΈ Emma Martins — Data Protection Commissioner, Office of the Data Protection Authority. Emma Martins believes passionately that responsible data protection practices are about protecting people, and that behaviour change comes from a cultural shift, rather than enforcement alone.
ποΈ Francesco Pozzoli — Since 2019, Francesco has been the Deputy Data Protection Officer of Very Ireland, one of the largest online retailers in Ireland, where he manages the data protection framework. Francesco is an IAPP Fellow of Information Privacy (FIP) and holds IAPP CIPP/E and CIPM certifications.
ποΈ Mihai Ghita — Mihai is the Co-founder and Chief Product Officer at Sypher, a technology company that builds privacy management and compliance software. He has over 20 years of experience of working in and with the risk and insurance industry.
Screengrab from PrivSec’s Global live streaming of Preparing for a privacy incident: last 90 days before it happens
Questions & answers
Let's dive into the discussion and discover how to navigate the critical period preceding a privacy incident.
Q1: SO, how can you prepare for an incident 90 days in advance, without knowing what will happen and when?
ποΈ Mihai: Let’s first discuss what it means to be prepared. Being prepared for a privacy incident entails having a documented understanding of how your organisation processes personal data, ensuring lawful and secure processing. This documentation:
- should be tailored to your specific processes, and not be a generic template from the internet.
- It should outline procedures for detecting, recognizing, and managing privacy incidents. You should also have the necessary resources to respond to such incidents.
- Lastly, you must be able to demonstrate that the measures listed in the documentation have been implemented appropriately and undergo regular audits.
All in all, being prepared for an incident means knowing what to do, rehearsing it, and having the required resources in place.
In response to your question, the short answer is that you cannot prepare for a specific incident 90 days in advance because you cannot predict the future. However, you can prepare to respond better than in your current state. By setting a deadline, such as August 18, 2023, you can aim to mitigate risks and demonstrate compliance better than you can today. Setting a 90-day timeframe allows for meaningful progress while maintaining focus and prioritisation, which is effective in real-life situations. For example, when taking on a new DPO role, you typically have three months to show results. The same principle applies when preparing for an audit.
Benefits of a 90-day preparation perspective:
- Clarity in decision-making — A 90-day timeframe provides ample time to make significant progress, while also enforcing focus and priority. It helps you decide what steps to take next.
- Control and job satisfaction — Shifting your perspective from "compliance work never ends" to "these are the things I will focus on in the next three months" gives you more control and enhances job satisfaction.
- Establishing a repeatable process — By adopting a structured approach to improvement, you create a process for continually enhancing your readiness. This is crucial because incidents will inevitably occur, and being able to respond effectively and demonstrate ongoing improvement is vital.
Q2: In your experience, what are the main sources of privacy incidents?
ποΈ Francesco: In my experience, the main sources of privacy incidents align with the findings of the 2022 Data Protection Commission report and a report published in March.
According to the report, 62% of the reported breaches were caused by communications sent to the wrong recipient, containing personal data, such as letters or emails. This primarily stems from human error.
While some may immediately think of malicious actors or targeted attacks when discussing data breaches, the majority of incidents are actually caused by human error. Even in cases of external attacks, they are often facilitated by human error, such as leaving a port open or making an unsecure configuration.
I often use a meme in my presentations that effectively represents the situation. It features a box on one side with all the security measures, including firewalls, antivirus software, data protection specialists, and information security experts.
On the other side, there's a normal-looking guy named Dave, symbolising human error. This meme highlights that despite all the security measures in place, human error remains a crucial factor. We are all susceptible to making mistakes because it's part of our nature as imperfect beings. Human mistakes are not a matter of if but when they will happen. To achieve zero risk, the only solution would be to avoid processing data altogether, thus emphasising the importance of data minimization.
In summary, both data and my personal experience confirm that human error is the primary factor behind privacy incidents. In the following discussion, we will explore strategies for addressing this issue effectively.
Q3: What are the best ways to prepare for a privacy incident?
ποΈ Mihai: From a practical perspective, prioritisation is key. While the theoretical knowledge of what needs to be done is widespread, taking action is crucial. Start by ensuring you have updated documentation such as the Records of Processing Activities (ROPA), privacy notices, vendor security assessments, and information security policies. These form the minimum foundation for compliance documentation.
Once the documentation is in place, it's important to verify its implementation and effectiveness. An accurate ROPA serves as a great starting point. To further improve compliance, assess each activity based on the likelihood and severity of privacy risks for data subjects. Assign risk severity and risk likelihood scores to each activity in order to prioritise actions.
In terms of risk severity, factors to consider include the volume of processed data, sensitive or vulnerable data, and data transfers to third countries. Collaborating with IT security is essential to evaluate security controls that affect the likelihood of incidents. By combining the severity and likelihood scores, you can determine the overall risk level and identify high-priority areas.
Next, focus on each activity, ensuring the required documentation is complete and accurate. Evaluate the controls and measures in place, ensuring they are appropriate for the identified risks. Consider conducting audits, implementing regular training and updates for staff, and performing tests to verify knowledge and competency. Create a to-do list based on these findings, targeting the most critical actions for the next three months.
Q4: What are the key components of an effective privacy incident response plan?
ποΈ Francesco: There is ample guidance available from the Data Protection Commission (DPC) and the European Data Protection Board (EDPB) on this topic, and one key aspect I would like to emphasise is internal communication.
As the Chinese general and philosopher Sun Tzu said in "The Art of War," knowing yourself and your enemy is crucial in battle. In this case, our enemy is human error. Therefore, addressing this factor becomes paramount. It is vital to ensure that the data protection team is informed promptly when a data breach occurs, so they can initiate the necessary actions.
While all employees are front-line defenders of privacy, they may not all be experts. Thus, comprehensive training is essential to help them understand what constitutes a data breach and to immediately notify the data protection team if they have any doubts.
Time is of the essence, as the clock starts ticking from the moment the organisation becomes aware of the breach. The data protection team must be notified promptly to carry out risk assessments, implement mitigation measures, and adhere to regulatory obligations, such as notifying the authorities and data subjects within the required timelines.
Effective internal communication ensures a swift response, enables proper collaboration, and allows for timely mitigation, minimising the potential damage. Therefore, my single most important advice is to prioritise and strengthen your internal communication processes to facilitate efficient incident response.
Q5: From an authority’s point of view, what are some of the mitigating factors that you take into account when investigating an incident and deciding whether to issue a warning rather than a fine?
ποΈ Emma: Firstly, we must emphasise the importance of assuming that a breach will happen and not ignoring the possibility. It should be acknowledged and included in the organisation's risk register to ensure it receives attention from senior management.
The misconception that breaches only happen to others or are caused by external hackers is misleading. In reality, human error plays a significant role in most breaches. Therefore, we must recognize the vulnerability within our own staff. When preparing for incidents, it is crucial to have a clear understanding of the risks, their scale, scope, and proximity.
Now, regarding how authorities approach enforcement decisions in the face of a breach, let's consider the language used in the GDPR, which may be applicable in this context.
Enforcement actions must be effective, proportionate, and dissuasive. Authorities consider responding to the harm and damage caused while also acting as a deterrent. It is not solely about issuing fines; the message conveyed by the enforcement action matters.
Major regulators often attract attention with significant fines, shaping the discourse around enforcement. Examining Article 83 of the GDPR, we find specific factors to consider. These include:
- the nature, gravity, and duration of the infringement,
- the number of affected individuals,
- the extent of harm or impact,
- and whether the breach was intentional or negligent.
Organisations should aim to demonstrate their lack of intent and showcase any actions taken to mitigate the damage. Additionally, the controller's track record of previous infringements and their cooperation with the authorities play a role. Timely and constructive engagement by controllers can significantly improve the situation for everyone involved. Open dialogue with the regulator is crucial, and involving the data protection officer (DPO) is advised. Other factors that may be considered include any financial gains resulting from the breach or aspects of the business model.
I would like to make two specific points in the limited time available. First, the degree of responsibility of the controller or processor regarding security and data protection by design is essential.
Accountability should be ingrained in the organisation's practices from the outset, not just in response to a breach.
Second, the manner in which the breach becomes known to the authority is significant. The organisation's reporting process, including the involvement of the DPO, even for near misses, and the timeliness of reporting, are crucial factors. Reporting deadlines can be tight in certain jurisdictions, necessitating quick response times. Therefore, organisations should have these two points firmly established in their business practices well in advance, recognizing that incidents will occur someday.
Q6: Besides what is legally required, how should organisations communicate with individuals in the event of a private security incident? And what steps can they take to regain trust and restore confidence?
ποΈ Emma: When it comes to regaining and restoring confidence and trust, it's important to note that you must have it in the first place in order to lose it. This goes beyond the 90-day period. Communication is crucial for organisations in handling data protection incidents because it's not just a legal or IT issue but a human one. It's about trust, confidence, and the success of your business. Shifting our understanding of data protection in this context helps us recognize why it's important to protect data and how to handle incidents when they occur.
If you approach it solely as an IT issue and react to it, you're bound to fail. Data protection needs to be ingrained in your organisation from the beginning. Having a DPO can greatly assist in transforming outcomes for organisations, especially in the event of breaches. However, you need to support your DPO and ensure they have the necessary tools to respond effectively, well in advance of any incident.
ποΈ Francesco: Regaining trust should start immediately after an incident happens. Communication plays a crucial role in this process. Article 34 of the GDPR was created to provide an opportunity for organisations to mitigate the damage caused by incidents and is a legal requirement.
However, even if it's not legally required, it can be good practice to notify affected individuals. Sometimes it's better to inform them rather than letting them find out on their own and potentially panic or overthink. Since you are the source of the information, you should provide them with the details they need in a clear manner.
It's essential to collaborate with your public relations team, as they can help with the wording when communicating with data subjects. External communication is important, as it allows affected individuals to receive the necessary information and take appropriate actions if needed.
Additionally, it's important to note that there are limits to regaining trust. If an organisation keeps experiencing the same breaches in the same area, it becomes increasingly difficult to rebuild trust. Learning from mistakes is crucial, especially when dealing with the stressful situation of a data breach. Ensuring that similar incidents don't occur again is essential for rebuilding trust, as repeated mistakes make it nearly impossible to regain trust.
Final thoughts
Preparing for a privacy incident requires a proactive and holistic approach that encompasses documentation, risk assessment, internal communication, and effective incident response planning. The panelists have emphasised the significance of recognizing human error as a primary source of privacy incidents and the need to prioritise internal communication and training to address this factor effectively.
Regaining public trust and restoring confidence after an incident also rely on transparent and timely communication with affected individuals, coupled with a commitment to learning from mistakes and preventing future breaches.
By adopting a 90-day perspective and leveraging the expertise shared here, organisations can strengthen their privacy practices, protect data, and navigate the challenging landscape of privacy incidents with greater resilience and compliance.
Useful links
- GDPR Readiness Assessment — Free Tool
- How to turn your ROPA into a roadmap for your privacy management program
- Remember to forget: Mastering data retention & deletion
- Privacy training that sticks | Overcoming 10 common excuses
- Privacy management & information security — Two sides of the data protection coin
___
Did you find this article helpful? Stay tuned for more by π connecting with us on LinkedIn or, better yet, π by subscribing to our weekly newsletter. We do our best to select the most interesting and relevant content in our field and deliver it to you in a bite-sized format, so you can stay up to date on topics such as Privacy Management & Compliance
Photo by Campaign Creators on Unsplash
