businessinfomag.uk magazine 28 DATA PROTECTION The announcement on May 7 that the names, addresses, pay and bank details of armed services personnel may have been stolen from an MoD payroll system managed by a third party is disturbing but all too familiar. Indeed, news of this state-sponsored hack came the day after the NHS warned that a large volume of patient and staff-identifiable data had been published on the dark web following a ransomware attack on NHS Dumfries and Galloway. Both these examples highlight how data breaches can have a devastating impact on organisations and data subjects. Even organisations that employ a data protection-as-a-service provider like The DPO Centre will need to have a long-term data breach framework and security strategy in place to help mitigate the consequences of a data breach, including both cyber and non-cyber incidents. Non-cyber breaches, also referred to as physical or offline breaches, still account for the highest number of reported breaches. Figures from the Information Commissioner’s Office (ICO) show that between October and December 2022, 75% of reported personal data breaches in the UK were classified as non-cyber, with ‘data emailed to the wrong recipient’ cited as the leading cause, accounting for almost one in five incidents. All organisations, regardless of size or industry sector, need to take proactive steps to prevent a data breach (both the ICO and the European Data Protection Board publish useful data protection guides for small businesses). Having a robust plan, covering everything from prevention to response, and well-prepared staff will enable organisations to reduce the impact of potential attacks whilst demonstrating their commitment to How to devise an effective data breach response strategy safeguarding customer information. This will also help to: n Build customer trust n Preserve brand reputation n Strengthen partnerships n Mitigate business disruption n Give stakeholders peace of mind. Here are five tips to help you devise an effective data breach response strategy: q Establish a data breach response team This can be a single person or a group with responsibility for managing security incidents. Time is of the essence when responding to a breach, and a dedicated response team will play a vital role in minimising impact whilst safeguarding sensitive information. Ideally this person or team should have a firm understanding of data protection considerations, along with immediate technical mitigation. w Review your data processing activities Understanding how and where your organisation processes personal data (and current security measures) helps identify potential weaknesses and highlights any risks. Regular reviews should be part of your overall plan, as they will enable you to make informed decisions on how best to allocate resources to strengthen your data protection efforts. Creating an Information Asset Register, conducting data mapping exercises and building a Record of Processing Activities (RoPA) can all help with this process. In addition, Data Protection Impact Assessments (DPIAs) for high risk processing activities will sharpen focus on processes where the impact of a data breach may be more significant. e Develop a data breach response plan While a risk assessment will identify areas of weakness, a robust data breach response plan will ensure staff are prepared if a breach does occur. The specifics of a plan will be different for each organisation but should include the following: n Details of the data breach response team n Breach identification and internal reporting and logging procedures n Legal and regulatory procedures n Breach containment and mitigation n External support resources n Breach risk assessment framework n Post-breach review procedures n Training and awareness requirements. r Monitor for suspicious activity and anomalies This should be a non-exhaustive and ongoing strategy for identifying potential breaches. Early intervention can reduce the damage caused by cyberattacks or personal data security incidents. Regularly updating and monitoring internal processes based on emerging threats and best practices is ideal. Here are some measures to consider: n Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) n Analysis of web application logs for suspicious activities such as multiple login failures n Regular data protection security audits n Regular data protection refresher courses for all staff t Build a data protection culture A company culture with in-built data protection awareness and knowledge is one of the primary factors in data breach prevention. Ongoing staff awareness training is a core foundation for a strong data protection culture. www.dpocentre.com The DPO Centre offers its top five tips for effective responses to cyber and non-cyber data breaches
RkJQdWJsaXNoZXIy NDUxNDM=