If Your Business Experienced a Data Breach, Is It Prepared?

One of the core principles of the GDPR is that businesses must be prepped and ready to execute the requisite notifications in the event of a breach of personal data.

Firstly, the relevant bodies must be notified within 72 hours of discovering the breach. This requires that your Data Protection Officer (DPO) or person responsible for data protection, knows who to notify and how to do it.

Keep in mind that even though the GDPR is valid throughout the EU, each member state has its own data privacy authorities, and you should know whom to inform and how to do it. It’s smarter to have this information ready as part of your incident management plan instead of searching for contact details when things get stressful.

In the event of an incident involving customer data, the business must be able to notify all affected parties in a short time period, with the appropriate information. This could mean sending a message to each of your customers.

Email is the best notification channel for large volumes and detailed content

Email is a highly efficient channel through which to execute your notification plan, especially if you are notifying thousands of individuals. Email is also best when the information is detailed and too lengthy to include in a text message.

If you don’t have customer email addresses on file, you should start a data collection campaign. Explain why you are requesting email addresses and that this information will only be used for incident notifications. There won’t be time to do this during the incident management process.

Develop a template that meets good practice guidelines for email and is tested across common devices. This reduces the time required to complete the campaign set up. You must be able to insert the critical information into the template quickly.

Make sure the email platform you use can provide reports of time sent, successful/ unsuccessful delivery, open rates – to prove that you executed the notification plan appropriately.

Creating an incident / breach notification plan

To get this right, it’s imperative to have a notification plan prepared that is agreed between all parties – marketing, IT, compliance and legal. Your notification plan should include the following:

1. A schedule of events – have a time plan that details each step of the notification process, with the aim of getting the notifications out within the required time. This schedule must involve any third party processors that you will need to help execute your plan.
2. An up-to-date list of participants – make sure it’s quite clear as to who is doing what. For example, consider who is responsible for sending the notification – does it sit with marketing or compliance? And who manages the plan?
3. A set of email templates – you need to develop a set of incident notification templates and have them immediately accessible, in order to insert the critical information. These templates must be pre-tested across devices.
4. Ability to select/segment recipients – you will need to compile and possibly segment your customer list. You must have access to email addresses and first names to personalize (who wants a crisis message that says “Dear valued customer”?)
5. Budget – have a pre-approved budget assigned, so you can expedite your plan – you don’t want to go through budget requests and approvals when the clock is ticking. If a third party is involved in your notification plan, ensure that you have the budget to cover their fees.
6. Ability to send millions of messages and quickly – you cannot go from sending zero emails on a platform to sending millions. Your incident notification needs to be sent via a server that distributes high volumes consistently, so that a large distribution will not look like spam and result in deliverability issues.
7. Appropriate technical setup – The email platform must be correctly configured to deliver on your behalf – the correct SPF and DKIM settings, etc.
8. Reporting – getting the right information back is crucial to show evidence of your notification process. The reports you receive need to show that the messages were sent within the time-frame, which were delivered and that you made every effort to get a message to the affected party – including repeat attempts to deliver to addresses that failed the first time.

Don’t leave your notification process to chance – rather have it well mapped out, with time frames and elements, such as templates and budget, on standby.