Responding to Data Breaches: A DPO’s Guide to Incident Management, or How to escape the kraken’s tentacles 

Part One: Spotting the deepwater beast

Data breach is often associated with panic; but to ring the ship’s bell in alarm, one has to see what’s hiding under the darkest waves. 

The Danish DPA guidelines on data breaches consider several most common breeds of breaches, among which are:

• Data sent to the wrong recipients because the wrong addressee is merged into outgoing mail;
• Failure to delete data using digital tools;
• Loss/theft of portable devices with unencrypted data;
• Unauthorised access to data due to poor design, coding errors and insufficient testing;
• Disclosure of data stored in template and form solutions;
• Absence of rigorous security perimeter that leads to the data being exposed to search engines or insider attacks;
• Malicious software (ransomware) that causes loss and misuse of data, and other curses of dark waters.

Sometimes, the birds of the security software will cry loudly, notifying the people before the eye sees anything. Other times, a data subject will send you a pigeon about the boxes signed with their names floating in the open water. Or maybe the DPA admiral will call you ashore this instant. Nonetheless, all of those mean it’s time to row away quickly!

Part Two: Informing the higher ranks

From now on, you must follow the code as laid out by your captain (titled “incident response procedure” or similar). If the breach stuck its tentacles to the stacks of personal data, that’s where the DPO or other responsible person must take the helm.

For you, the first step would be to alarm your manager, chief of legal, and other C-level, sometimes all the way up to the CEO. After the bell was rang and the beast was proven to have a taste for all things personal, you could send a message to their cabin or call really loudly — whatever suits ye.

This will be a preliminary step before going forward with informing the data subjects and Data Protection Authority. Such notification must be arranged within 72 hours. The kraken is not waiting. Tik-tok, or, rather, plop-plop.

Read more: DPO and Education

Part Three: Notifying the admiral and the folks concerned (if necessary)

The inks of data can be erased by a drop of seawater. It can be mutilated by kraken’s tentacles, or it can be stolen from the ship. Simply revealing the content of data boxes to a kraken’s eye is already a breach!

Now, think about what happens if the beast snatches your cargo and carries it across the seas to the islands where all that is stolen is sold for a golden coin. Could the dealings with personal data lead to the discrimination on the basis of race, political opinion, religion or any other things that are important on land and on water? Could your kraken put on a hat of names and a coat of ID numbers and rob a bank, directing the consequences to the data subject? If these ploys do not require a significant effort on the side of the kraken or infamous gentlemen of fortune, then the risk is probably high.

To evaluate your chances, one of two things must be considered: the sensitive nature of data and the amount of information revealed about an individual which puts them into a vulnerable position. If it’s really bad, you can have both. 

Tough luck, says we. You, however, must not fret and draft up a letter to the DPA that will include:

• a description of the nature of the personal data breach;
• categories and an approximate number of data subjects affected;
• categories and an approximate number of personal data records affected; 
• name and contact details of DPO, if assigned;
• consequences of the personal data breach, both those that have already occurred and those that are likely to occur;
• a description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects; 
• any other information relating to the data breach.

Notice that if the amount of data subjects whose data was otherwise revealed is higher than a hundred souls, it would be a good practice to notify the souls in question and the DPA as well. Numbers matter, even if the personal data is not highly sensitive. Savvy?

Read more: EU Representative: Tasks and Advantages

And on the numbers: in case of non-compliance, the price is hefty across all seven seas

For example, the Italian DPA called OpenAI ashore for the operation of their AI chatbot “ChatGPT”. The DPA found that OpenAI failed to notify the DPA of a data breach. Thankfully, the deal was resolved only by a financial equivalent of the gallows, that being a fine of EUR 15 million.

In the waters nearby, the DPA of Spain caught drifting Institut Marquès Obstetricia i Ginecologia. These unlucky sailors had failed to take appropriate technical and organizational measures to protect personal data. This is especially important when you have medical records on board (remember sensitivity). And of course, their captain failed to properly inform data subjects about the data breach. 

On the east of the Mediterranean, the wind is no less harsh: the Hellenic DPA has imposed a fine of EUR 40,000 on Vodafone. After an individual requested records of conversations with a call center, Vodafone folks handed them a box with another customer’s conversations. It’s almost an old story that Vodafone also failed to report this incident to the DPA in a timely manner. 

Read more: Privacy communication

So, what do you do after your ship is back in safe water? 

At the perilous seas, your crew are the first “layer” attacked by krakens. Implement guidelines for internal and external communication, including that employees must exercise caution to ensure that e-mails, letters, etc., are not sent to the wrong recipients. 

It also helps to have guidelines for handling requests for insight and access to the personal data and for publishing information on the internet. The guidelines must contain an instruction that the crew is to come down to the brig and review the cargo manually. This way they would delete or remove personal data before the material is published or handed out. 

Remember the motto: keep ‘em crewsmen on their toes, train ‘em with sticks and ropes, and they will be ready to face the kraken of breach, avoid the gallows of DPA and reach the final destination on the Isla de Compliance!