Data Breaches can occur anywhere and without any warning – in spite of implementing all the required protocols and processes. At such times, an ideal response plan provides a clear roadmap by referring to recommended Standard Operating Procedures (SOPs) when a breach is discovered. It is detrimental for companies who take their time in reporting breaches as fines can be hefty. This is the case for Twitter (fined €450,000) and Booking.com (fined €475,000) who found out that delayed data breach notification is a costly affair!
Before we start, let’s review the data breach notification flowchart to understand when notification is required according to regulations so that organisations will know when to put the response plan into action.
The Personal Data Protection Commission (PDPC)'s infographic below illustrates the timelines for assessment and notification of data breaches to the PDPC and affected individuals.
Upon determining that a data breach is notifiable, the organisation must notify:
These timeframes for notifying the Commission and/or the affected individuals commences from the time the organisation determines that the data breach is notifiable. Any unreasonable delays in notifying the relevant parties will be a breach of the Data Breach Notification (DBN) Obligation.
Where an organisation is required to notify affected individuals of a data breach, it should notify the affected individuals at the same time or after it notifies the Commission.
In order to effectively manage various nuances of responding to data breaches in a timely and accurate manner, it is recommended to follow a systematic approach via the Data Protection Management Plan (DPMP). An organisation should consider the following factors as they are interconnected when putting this plan into place:
A comprehensive DPMP can help in plugging gaps by drawing attention towards questions like:
C-A-R-E: The 4-Step Framework:
The Singapore’s PDPC also has a good framework for organisations to start the Data Breach Response plan in the form of the acronym, CARE (Contain, Assess, Respond and Evaluate). In a separate article on managing data breach response, we have included the details on the CARE framework.
It is possible for incident handling to be automated to an extent as there are some software platforms that enable the Data Protection Officer (DPO) to manage the data breach response activities. Straits Interactive’s DPOinBOX platform is one such platform.
The following images are screenshots of incidents & requests from the DPOinBOX, a platform which aids organisations in managing their DPMP.
The DPOinBOX software also incorporates the CARE (Contain, Assess, Report and Evaluate) framework mentioned earlier. This systematic approach of recording incidents through each category in CARE helps the DPO manage the breach more effectively. In this case, the DPO is inputting details of the loss of the hard disk incident.
After the inputs, the DPOinBOX software delves deeper into the details of the incident by having an incident analysis function. The DPO can use this function to generate the recommended actions for incident response.
The Breach Management function in DPOinBOX provides the DPO with an overview of the breach incidents and requests. In this section, DPOs can find information about the incidents, including the nature, date, staff who reported it and when it was reported. These details are useful especially when having to present to either management or the regulators if it is a notifiable breach.
In this digital age, data breaches can occur in any organisation, at any time. It is critical for organisations to understand the timelines involved in reporting breaches to the regulators and what information is needed when reporting. In this aspect, data protection management software such as DPOinBOX is effective in helping DPOs manage breach response easily and effectively.
Article By: Aman Khajanchi
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
The Info-comm Media Development Authority of Singapore (IMDA) launched the Data…
Every day we are confronted with information on companies that allegedly did th…
It cannot be reiterated enough: personal information is property that belongs t…