Since May 2018 when the General Data Protection Regulation (GDPR) was put in place, several data breaches occurred in different European member states. These breaches revealed the need for legal & IT to work closely together to develop valid responses, make informed decisions, and validate action plans.
As a result, Aubay and Wildgen joined forces to propose an end-to-end offer on personal data breach prevention & management on both legal & IT aspects. In this article, they remind companies how to protect themselves using specific preventative measures, personal data breach management process, and crisis communication.
Firstly, companies must ensure that sensitive data is adequately protected – especially the personal data that is collected and managed. They must put a governance program in place that includes security measures to protect personal data, as well strategies and tools to mitigate risks. Prevention helps to limit the crisis impacts resulting from a data breach.
Today, many types of threats are trying to access your corporate personal data, including advanced persistent threats, malware, ransomware, insider threats, and criminal threats.
To raise awareness, Aubay and Wildgen suggest that companies perform some internal organisation diagnostics on legal aspects, functional aspects, and technical aspects. These diagnostics assist to determine an action plan to prevent data loss or theft.
Pertaining to the legal aspects, the diagnostic determines whether the company should put additional provisions in place. These provisions aim specifically to check, to adapt, or to include in contracts the provisions relating to the obligations of security, confidentiality, and personal data protection from the contracts with employees, third parties, and clients.
A functional diagnostic assesses the maturity of the personal data governance, which gives the company the ability to prepare its roadmap.
Technical diagnostics include vulnerability analysis and penetration testing. Both external and internal aspects can be addressed with these tests. Web applications require dedicated tests.
To mitigate risk, and to work on the behavioural aspects, some advanced tools using machine learning and artificial intelligence could be put in place to detect new emerging threats. These tools also assist security analysts by performing triage and correlations on the huge number of logs, because they raise alerts.
These tools include additional modules that can be implemented to automate responses to threats. They assist companies in protecting their network, information system, and data against external and internal threats.
Personal data breach management
A personal data breach occurrence can put a company at risk if the incident is not taken seriously and processed correctly. The 72-hour period provided by the GDPR to notify the “Commission Nationale pour la Protection des Données” (CNPD) (or another European member state data protection authority) of the personal data breach occurrence is short. During this period, the victim company of a personal data breach should be able to investigate the detected event. It must determine the associated risks to individuals and to the company/administration. After that, the company should take adequate measures to mitigate the risk and to limit the personal data breach detrimental consequences.
Aubay and Wildgen can provide assistance and expertise to companies to manage these crisis situations. They can help companies prepare the potential notification document to the CNPD, which is an important milestone in the crisis management. They can also assess the process to inform individuals impacted by the personal data breach and determine the communication content.
The actions taken immediately by the company and the action plan established to manage the crisis are key. The legal aspects should not be forgotten and assessed in connection with the situation, because they are a mandatory part of the risk management strategy.
A legal risk management approach is recommended for the communications issued to the competent data protection authority for personal data, the concerned persons, and more widely the third parties. The reputational risk also must be considered as well as communications issued to concerned individuals.
The wording used must be accurate so that the communication does not generate additional legal issues. Wildgen can assist you in redacting these communications and in managing claims raised by individuals concerned by the personal data breach.