Report your data breach: 5 best practices to avoid breaching data regulation

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cbronline.com/news/cybersecurity/data/report-your-data-breach-5-best-practices-to-avoid-breaching-data-regulation-4772322

In December the European Union finally agreed on data protection laws that
will remove patchwork rules that had been in place since the 1990's.

As big data use becomes more prevalent the need to provide proper
regulations has also increased and the potential for fines of up to 4% of
global revenue are designed to severely punish those companies that breach
the regulations.

It should be noted that despite the increased pressure on businesses to
comply with regulations and the strict punishments, the General Data
Protection Regulation is a good thing. It significantly reduces the
complexity and costs related to complying with 28 different sets of rules
and should make reporting a lot simpler.

Although the rules don't come in to practice until 2018 it is necessary for
business to plan ahead. With this in mind, CBR has compiled a list of best
practices that should be undertaken to make sure that you don't fall foul
of the regulations.



1. Know where your data is

Those that are in charge of your data will have to ensure that personal
data which is moved or processed outside the EU complies with the GDPR.

This is an extremely important element, it means that US companies will
also be hit by this, say for example Facebook takes data from Spain and
analyses the data in its US datacentres, this is still covered by the GDPR
and Facebook will have to follow the same rules as everyone else.

Fail to follow the rules and a hefty fine will be heading their way.



2. Know what you can do with it

It's important to know how exactly you can use the data that you have;
understanding what is personal data and what is sensitive personal data is
a must.

Sensitive personal data that can inform you of a person's ethnicity and
medical information has a higher level of protection and so it is important
to obtain even your employee's consent to keep it.

The GDPR underlines the privacy of personal data so from its implementation
businesses will have to build 'privacy by design'. This means that data
must be gather with explicit rather than assume consent.

It also means that data can be withdrawn by people, so you can't just
accumulate data and store it away forever, you must have a policy for
disposing of it.



3. Remind your staff of the rules

Potentially the weak leak in any operation, just look at some of the big
data breaches that have happened because a person forgot to patch something
or didn't password protect their files.

A breach can happen but there shouldn't be any excuse for neglecting the
data privacy rules.

Whether you hold refresher sessions that train staff on the rules or
perhaps outline the rules on posters around the office; it's important to
make sure the staff understand what the rules are and why they are
important.

One of the reasons why they are important to the staff is that they could
well lose their job if they are negligent.



4. Address your data collection policy

This is vitally important, you need to know what it is you can collect and
who from. You may not necessarily need to employ a data protection officer
but you will need the right resources in order to deliver the necessary
change, which may include training existing staff.

Privacy should be at the forefront of business decisions, which may require
changing processes.

David Smith, deputy commissioner and director of data protection, ICO,
said: "Are you reviewing the personal data you hold, and why you hold it,
to ensure that you can meet the requirement for 'data minimisation'? Do you
know what a privacy impact assessment is? Have you used one yet?"



5. Report a data breach

This is an important new element of the regulation that means that
companies must report a data breach so having the correct breach management
plans in place are vital.

You don't just have to inform the local information commissioner, you have
to have a policy in place for informing the victims of the breach.

Organisations will have 72 hours to report a data breach from the point of
which it is discovered and while you may think you avoid a fine if you
don't report, this will actually just make it a lot worse.

Breaches of data protection will hit the business with fines of at least
two percent of global turnover or one million Euros, whichever is greater.
This is only for the most serious examples of breach and fines resulting to
compliance failures haven't been explained.

However, you can probably expect them to be quite severe due to the level
of punishment related to a data breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.