Focus on data breaches
The DPOInsider covers the latest news and developments in data compliance and privacy. The DPO's favourite weekly read ☕️
Welcome to another edition of the DPOInsider. Today we’re talking a slightly different format and shifting the entire focus toward data breaches.
Data Breaches are on the rise
The last couple of weeks have shown why you should consider how you deal with and prepare for data breaches. IKEA Canada’s data breach of 95,000 people was due to an internal breach, a ransomware attack resulted in a data breach on National Tertiary Education Union’s servers in Australia, and there are plenty more examples here, here, here, and here. And while 90% of data breaches are cyberattack related, you also have to guard against situations like the recent data breach from the University of Essex:
A spreadsheet containing student IDs, dates of birth and contact details was “accidentally” attached to an email from a facilities management delivery partner on 23 March, requesting payment for repairs to a broken door on an accommodation block.
While this topic typically is the responsibility of the CISO, we want to address how a DPO can help address and minimize the risk. At this point, you should assume your business will be the victim of a breach eventually, so preparation and risk reduction are essential.
Minimize the data volume at risk
Data Minimization is an important tool for the DPO to reduce risk. For example:
Ensure you are only collecting the data you absolutely need to process. I’ve talked about this before, but many organisations’ default mode is to collect as much data as possible. It’s not all being used. It’s not creating value.
Ensure timely retention policies and execution to delete expired or unused data. Do you have a policy for data minimisation? How often do you determine which data is being used and which data is essential for your business?
Use data mapping knowledge
An essential tool for any DPO is their data mapping of the company’s data sources. By including user catalogs and permission information in the same system, access can be monitored to ensure that any user only has the data access they absolutely need, and that access is revoked when it’s not needed anymore.
In the same fashion having an up-to-date vendor and partner catalog is essential to ensure that any data breach is dealt with in the entire supply chain.
This supply chain is getting more complex, so building a viable catalog early is a key way to be proactive.
Data Breach systems
GDPR states that any data breach should be reported within 72 hours, while India is introducing significantly stronger deadlines with a new 6-hour reporting requirement.
This is only doable when breach information can be collected, processed and distributed from a central data breach system.
This is only possible with the above recommendations. Save your (presumed) data breach from being regurgitated during any slow news week by being proactive.
That’s all for this week. I’ll catch you next time.