109,000 personal data breaches were reported from January 2022 to January 2023 in the European Union, according to the DLA Piper. And, data protection supervisory authorities across Europe have issued a total of EUR 1.64 billion (USD 1.74 billion/GBP 1.43 billion) in fines since January 28, 2022, reflecting a year-on-year increase in aggregate reported GDPR fines of 50%.
Article 33 of the GDPR requires companies to notify personal data breaches to the supervisory authority, not later than 72 hours since becoming aware of it.
What exactly should be done in the event of a data breach?
We cannot emphasize often enough how important it is to take immediate action . But, do we also know what exactly needs to be done? Here we have a reminder for you:
Step-by-step plan: what to do in case of a data breach?
1. Make sure you have an overview of what happened
If you are the victim of a data leak, it is important to have an overview of the situation as soon as possible. It is important to know what data has been leaked and who was involved in order to determine how to get the situation under control.
2. Limit the damage
A data leak can have major consequences and that is way it is important to limit the damage. Use the overview you have made to see how you can prevent the situation from getting worse.
3. Do you have to report it to the supervisory authority?
As soon as you discover a data leak, it is crucial to immediately investigate whether you need to report it to the supervisory authority. Do you think that the data leak does not pose any risks to the rights and freedoms of the victims? Then you don't have to report it. Is the answer yes? Then you must report the data leak within 72 hours.
4. Do you have to notify the people involved?
As we just said: in the event of a data leak, you are not only dealing with the supervisory authority, but also with the people involved. Is there a great risk for them? Then they too must be informed. How do you determine this? By looking at the possible physical, material or immaterial damage. If this damage is significant, those involved must be notified.
5. Register the data leak
Finally, you must register the data leak. The GDPR requires every organization to register all data leaks in their data leak register. Here you must provide a description of the data leak. You have to write down the personal data and people involved, the consequences of the data leak and the measures you have taken.
How can you prevent data breaches?
Fortunately, it does not have to go that far for most organizations. Data leaks can be prevented with the right measures. Earlier, we already shared some tips on how to prevent data leaks with you. With these tips we zoom in on the problems that exist, such as the unsecured sending of sensitive information. Or working on public networks, making your connected devices easily accessible to unauthorized persons.
However, there is more you can do and look out for. When we look at the nature of the data breaches, we see many recurring patterns. Sending data to the wrong person is the biggest cause of data leaks in Europe. That is a shame, because it means that the data loss was not caused by, for example, a phishing attack from the outside. No, most data breaches are caused by human errors.
Three pillars, one goal: avoid human errors
Fortunately, there are functionalities in secure emailing solutions that can limit making these human errors. Or the possibility to maintain as much control as possible about the exchange of sensitive information during the entire email process. Hereby, there are three parts, or pillars, that are important:
-
Usability
In most cases, a system that is complicated to use will not be used (correctly). If your employees find the system too difficult or annoying to work with, you as an organization still run the risk of data leaks. And that would be a waste of time, money and resources, don't you think?
-
Awareness
Mistakes are human, but it becomes dangerous when sensitive information unknowingly ends up in the wrong hands. Fortunately, there are now ways to prevent this. Notifications, verifications and checks make it possible to confirm your recipient (s) and files and block messages afterwards, should something go wrong. Anyone who consciously handles the processing of sensitive data will also process it correctly.
-
Control
Stay in control of the data that leaves your organization. By monitoring this, errors and data leaks can be detected quicker and damage can be limited. Better be safe than sorry!
A combination of these pillars will ensure that the chance of a data breach can be limited.
Would you like to know more about how to prevent data leaks?
Sharing information unintentionally with the wrong recipient remains the biggest cause of data leaks. In this whitepaper, you’ll find the 3 best practices to avoid data leaking out of your organization.