Understanding GDPR Incident Response Guidelines

The EU’s General Data Protection Regulation (GDPR) has been making headlines for over five years, and its significance only promises to increase going forward.

GDPR is the EU’s solution to digital privacy regulations. The European Parliament signed it into law in 2016, with a two year transition period that required companies to be fully compliant by 2018. Trust sits at the center of GDPR, with these regulations giving EU citizens control over how companies can collect and use their personal data. Some of the hallmarks of these regulations include giving individuals access to understand what data will be or has already been collected about them, how that data will be used, and the right to request that data be deleted.

Among the many areas of interest mapped out in the regulations, incident response is one of the most critical to which companies must pay attention. Failure to comply with GDPR in any way can lead to a fine of up to 4% of annual global turnover.

This article will explore exactly what GDPR requires in terms of incident response, the companies to which these regulations apply, what might trigger the need to go into response mode, how organizations should prepare for incident response needs, and recent examples of companies that have dealt with a GDPR incident response.

Who Must Adhere to GDPR?

Regardless of where your company is located, if you might possibly collect or use data about EU citizens, you must adhere to GDPR guidelines.

It’s a very common misconception to think GDPR only applies to companies based in the EU; however, this is not the case. GDPR focuses on providing protection for EU citizens, and as a result it applies to any company with which they interact — regardless of where that company is located.

This situation led many US-based companies to restrict access for EU customers when GDPR first launched in 2018. For example, many EU citizens who visited US news websites on May 25, 2018, the day GDPR went into full effect, found they could not access the sites and instead received a message that the publishers were working on GDPR compliance.

What are the GDPR Incident Response Guidelines?

GDPR sets forth numerous rules for how companies need to handle personal data. Importantly, it also provides a clear protocol for what’s required if a data breach occurs. Under these incident response guidelines, companies must:

1. Notify the appropriate GDPR supervisory authority within 72 hours after learning about the incident (in cases past 72 hours, you must include reasons for the delay).
2. The notification should provide details on:
   • The incident, including the types and amount of data involved and the number of people associated with that data
   • Contact information for someone at the company who can share more details (this should usually be the Data Protection Officer, a role required by GDPR)
   • Likely consequences from the incident
   • Plans to address the incident and reduce any negative effects

If your organization does not have all of this information at once, you can provide the details in phases, but should not wait on that information to submit the initial notification — that should still come in the 72 hour window.

Importantly, if the incident creates a situation that puts the affected individuals at high risk, then companies must also notify those people as soon as possible. GDPR defines data that puts individual freedom and safety at risk as any data that would lead to social or economic disadvantage, such as discrimination, loss of confidentiality, identity theft, or financial loss. This typically includes confidential data or personally identifiable information (PII) like name, address, date of birth, health records, or bank details. If this type of data is involved in a breach, you must reach out to the affected individuals and clearly describe the incident and the type of information compromised.

There are a few exceptions to this rule, though. Companies do not need to send these individual notifications if:

1. The compromised data is protected in a way that renders it unusable to any attackers (for example, if it’s encrypted and therefore unreadable).
2. Your company has already taken action that will reduce the fallout from the incident so that it no longer threatens individual safety or freedoms.
3. There are too many individuals affected that notifying every one of them would become a big burden, in which case GDPR allows companies to make a public announcement that notifies all of the people on which they have data.

The regulation sets deadlines of “without undue delay” for these notifications. Some interpret that as 72 hours given that deadline is used in other parts of the regulation. Others believe the regulation is more tolerant here and more time can be taken. While there remains some ambiguity here, and while there is a lack of definitive case law to date, do not take too long, as courts have ruled in prior judgements that the time frame is “not compatible with a time limit of several weeks or … several months”.

Throughout all of this, “lack of awareness” is not an option. GDPR also requires companies to implement processes for regularly testing, assessing, and evaluating data security and the effectiveness of security measures. Along the way, companies must keep a record of any data breaches and make themselves available for audits by the supervisory authority.

What Can Trigger Notification Under GDPR?

There are several types of events that can trigger GDPR notification obligations. Many of these events are types of data breaches, however it’s not just an attack that can lead to an incident response — it can also be cases where companies mistakenly share the wrong data. The following are a few examples of a variety of events that can trigger an incident response under GDPR.

1) Data Theft, Like Exfiltration

Any kind of data theft qualifies as a breach under GDPR. One of the most common types of data theft is exfiltration, which occurs when attackers gain unauthorized access to data and transfer it onto their own servers or devices.

2) Mistakenly Exposed Data

If your company mistakenly sends information to the wrong person or shares information in an insecure way, you have exposed someone’s personal data. For example, this might include sharing any kind of data about an individual with someone other than that individual (e.g. if someone requests to see the data your company has about them and you send them the data about someone else by accident). It might also include sharing information on the wrong channel, such as sharing someone’s banking information over an unencrypted network like email.

3) Stolen or Lost Physical Records

Data breaches under GDPR don’t just cover digital records: Physical data records are also subject to GDPR compliance. Physical data records that are stolen or lost qualify as a data breach under GDPR, as it’s possible these records might then fall into the wrong hands. Additionally, if your company only has physical data records and those records become damaged in any way (e.g. in the case of a flood or a fire), that also qualifies as a data breach since it is the same as accidentally deleting digital files.

What Do Companies Need to be Prepared for GDPR Incident Response?

Whether it’s GDPR or any other data privacy regulations, companies must be prepared to jump into action when it comes to issuing an incident response. Overall, this preparation requires prioritizing technology that offers visibility into data (how it’s collected, where it lives, how it’s used) and introducing strict security measures to protect that data. Clearly identifying which people within your organization own incident response measures and giving them support to introduce processes accordingly is equally as critical.

With that foundation in place, we can then break down incident response preparation into three critical phases:

1) Readiness

In today’s day and age, data breaches are more a matter of “when”, not “if” — and that makes it essential to get your incident response plans in order proactively. Notably, proactive incident response can significantly reduce the resulting costs associated with a breach of any sort. This readiness should include:

• Understanding incident response requirements based on what’s outlined in regulations (like GDPR, among others) and in your contracts with customers and partners.
• Preparing incident response plans based on each set of regulations and contracts.
• Keeping track of changes to regulations and contracts so that all incident response plans can also stay up to date.

2) Response

When a data breach does occur, the faster and more confidently you can go into incident response mode, the better off your company will be. This speed to response is especially important with GDPR violations, as this regulation requires that companies submit notifications within 72 hours of becoming aware of the incident and it puts the burden of “awareness” on companies. Jumping into action with a quick response means your team must be able to easily:

• Identify issues and collect relevant incident data, including what happened, how it happened, who it affected, and what the consequences might be.
• Collaborate across teams and departments on delivering the incident notification to the appropriate supervisory authority.

3) Ongoing Management

Finally, thinking through incident response planning is not a set-it-and-forget-it exercise. Rather, it requires ongoing management to ensure recovery from any breaches and help the business get back on track.

One of the most important pieces of this ongoing management is a centralized dashboard that allows for reporting and monitoring on incident response plans, updates to regulations and contracts, and everything else teams might need to remain prepared for any future data breaches.

What are Examples of High Profile GDPR Incident Response Cases?

Companies have reported nearly 300,000 data breaches since GDPR went into effect in 2018, according to DLA Piper. The average number of notifications per day reached 331 in 2020, up 19% from 2019. Among these many incidents, here are a few high profile cases:

1) H&M: Mistakenly Exposed Data

H&M, an international clothing retailer, experienced an incident regarding mistakenly exposed data in 2019 that resulted in a fine of €35.3 million.

The company kept detailed profiles on employees that included information about religious beliefs, medical history, family details, and more, many of which were collected via private, 1:1 conversations and other informal channels. A technology error in 2019 made all of this information visible to all of H&M’s employees through the company’s internal network.

There were two issues at hand with this situation: First was the improper collection of data, as GDPR requires a high level of transparency so that individuals know what data gets collected about them and how it will be used. Second was the mistaken exposure of this personal data, which could put individual freedom and safety at risk.

H&M issued a statement as part of their incident response that noted forthcoming changes to personnel, data privacy, and auditing policies. The company also included an apology to employees and shared that affected individuals would be financially compensated. Ultimately, the situation came under review by the Hamburg State Commissioner for Data Protection and Freedom of Information, which led to the second largest fine in GDPR history.

2) British Airways: Data Theft

British Airways, a UK-based airline carrier, experienced an incident regarding data theft in 2018 that resulted in a fine of £20 million (note: the company was originally supposed to be fined £183.39 million, but this got reduced in 2020 due to the impact of COVID-19 on the airline industry).

The company was the victim of a cyber attack in 2018 in which hackers gained access to personal data on over 400,000 British Airways customers and staff, including details like names, addresses, and payment details. The company first discovered and reported on the incident two months after it occurred.

This attack presented two issues based on GDPR guidelines. First, the company failed to prevent the attack despite being able to do so by introducing known measures like more rigorous testing and multi-factor authentication. Second, British Airways displayed a lack of awareness, as they did not actually detect the attack themselves, even though GDPR requires companies to conduct regular audits.

Once British Airways did become aware of the attack, they immediately launched an incident response, including a detailed notification to the Information Commissioner’s Office.

3) Royal Dutch Tennis Association: Improperly Sold Data

The Royal Dutch Tennis Association, a Netherlands-based group, experienced an incident regarding improperly sold data in 2018 that resulted in a fine of €525,000.

The company sold personal data on approximately 300,000 members, including information like name and address, to two of its sponsors. The sponsors then used that information to reach out to those members via mail and phone.

This attack presented several issues, as the tennis association did not have permission from those members to use their data in this way nor did the sponsors who received the data have permission to contact those people (individuals have the right to opt in to communications under GDPR).

The Dutch Data Protection Authority investigated the situation and imposed a fine, however the Royal Dutch Tennis Association maintained there was a legitimate interest for the sale of the data and objected, leading to further reviews.

Recognizing the Importance of Proactive Incident Response

Since its introduction, GDPR has proven a strong set of guidelines in governing individuals’ data privacy. The EU has made clear through countless cases that it’s serious about enforcing these regulations.

As a result, it’s absolutely critical for any company that works with EU citizens or has their data to pay close attention to what’s outlined in GDPR and how those guidelines evolve over time. One of the most critical, but often overlooked, elements of this compliance is incident response. As important as it is for companies to focus on avoiding any issues or data breaches, it’s inevitable that something will happen at some point. This situation makes it essential to have a strong, proactive incident response plan in place.

Having this type of proactive incident response plan can help your company recover from a data breach faster and lessen the overall impact. Doing so starts with understanding what’s required under GDPR, putting a plan in place, and then ensuring you have the proper resources to maintain that plan over time.