Controlling the impact of a breach

This element of the programme focuses on ensuring that the organisation can respond in a timely fashion to a data breach, assessing the breach and responding appropriately to the impact by notifying the data subjects and regulators as necessary. Key activities include:

• Establishing and maintaining breach plans for the data processing activities
• Validating and exercising the breach plans
• Reviewing breach events for continuous improvement actions

The organisation needs to be prepared before a breach occurs as time will be tight.

Lost device

A hand-held device containing the personal data of customers is reported lost at 5pm on Friday. Within 72 hours, you may need to inform the Data Protection Commission (by 5pm on Monday). You must assess the risks to the data subjects to decide who needs to be informed and when. If the risk is low, then you may not need to inform anyone, but if it is high, you may need to inform all impacted data subjects and the Data Protection Commission.

When a breach occurs, time is the enemy. Therefore, it is essential to anticipate the loss and plan management activities. The Breach Management Plan needs to ensure that staff involved in managing the incident can be engaged quickly, know their roles and can contribute to timely decision-making. Breach Management Plans should be tested and exercised regularly.

A Breach Management Plan is similar to a Business Continuity Plan: it is made in advance, should be exercised regularly and maintained as data processing activities change. A poorly managed breach may be a crisis that threatens the life of the business.