Case Study

Case Study

GDPR best practice: how to reduce the risk of a data breach

Posted by Paul Duller on October 23, 2019

In recent months, it has become apparent that Universities and Colleges are ‘under attack’ or at risk of data breaches. Both the GDPR and the corresponding UK Data Protection Act (2018) are just two examples of international data breach notification laws that have come into play in recent years. The breadth and complexity of these regulations are proving to be a significant challenge for businesses and the ICO (the UK Data Protection regulator) has shown they are not afraid to impose significant sanctions for those who cannot demonstrate compliance.   

While it has taken over a year for any ‘big fine’ to be imposed in the UK, during the last few months we have seen some record-breaking fines announced by the ICO. With Marriott Hotel being fined £99.2m and British Airways being fined £183m, now really is the time to ensure your data is backed-up, and if the dreaded does happen, a plan is in place to maintain business continuity.

Information Commissioner, Elizabeth Denham stated:

"People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience”. "That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

The ICO has identified a list of factors that have contributed to breaches:

  • Poor board-level awareness of the risk to the organisation
  • Incomplete or missing corporate records (contracts and policies)
  • Inadequate staff training (important to keep a record)
  • Policies repeatedly not followed (compliance needs embedding)
  • Not understanding supply chain risks
  • Investment in security deferred
  • Poor data governance (particularly in test or product development environments; and in respect of the use of live data for testing)
  • Staff Workarounds compromising security systems because the agreed way of working is not the easiest way of working
  • Obvious misconfiguration of systems leaving them open to long-known vulnerabilities

Since most data breaches are the result of human error, even organisations with the best privacy program and awareness of personal data processing, may experience a breach. We have learned from the GDPR that organisations must not only be accountable, but also be able to demonstrate compliance. This can be broken down into three key activities:

  • Put in place appropriate technical and organizational measures to meet requirements.
  • Ensure compliance of data processing operations is demonstrable including having underlying evidence ready.
  • Ensure technical and organisational measures are reviewed and updated on a regular basis (annually) to ensure compliance with changing legislation and guidance.

If your University or College is GDPR compliant, you will already have a solid foundation for addressing a data breach, however, if you are still in the process of becoming compliant here are some recommendations:

  1. Create a Record of Processing Activity (ROPA): A key element of GDPR is the ability to provide proper documentation to demonstrate compliance (Article 30). A ROPA provides easy access to all information on processing operations so that you can quickly retrieve information when you have a security alert or incident report.
  2. Appoint a Data Protection Officer (DPO): The appointment of a DPO is mandatory under the GDPR and other jurisdictions are adopting this requirement. A DPO can act as a first point of contact and internal advisor on how to proceed in the event of a breach.
  3. Conduct (or leverage) your Data Privacy Impact Assessment (DPIA): Conducting or leveraging your DPIA may already reveal risk involved in your processing and include mitigating measures put in place to help you determine if a data breach is reportable.
  4. Keep a data breach register: While not all breaches are reportable to authorities, you do need to keep an internal register of all data breaches and security incidents. Reviewing your data breach register may point to problems within your organization related to lack of awareness, lack of security or simple carelessness in some of the departments.
  5. Document your information assets and your approach to privacy management:  By documenting and assigning ownership of the different Information Assets that exist across the college, along with the relevant policies and procedures, decision making processes and business continuity plans, you can create a robust set of information that can be used to assist at the time of the incident and demonstrate responsible privacy management to the ICO and other parties after a breach.
  6. Create a robust business continuity plan: This needs to include both incident management and recovery elements, closely linked to the GDPR notification guidelines. The plan should be rehearsed and available in both hardcopy and electronic formats (in case you experience a ransomware/lock-out situation).  It should also include a call tree (a layered hierarchical communication model used to notify specific individuals of an event and coordinate recovery, if necessary. This should include internal contacts and external agencies (ICO, Police, National Crime Agency, insurance company etc).
  7. Ensure your operational data is backed-up and secure:  As well as your own backups, Tribal offers a business continuity, backup and disaster recovery service, with two days’ worth of data stored off site, SecureSend transfers and data restoration within four hours.

To discuss creating a bespoke package for your institution, contact us here.

Topics: Higher Education, Further Education, Blog, Hot Topics

Picture of Paul Duller

Written by Paul Duller

Paul is Tribal’s Information Consultancy Director. He is an international information management specialist with 30+ years experience. He is a chartered geologist & chartered scientist, certified GDPR practitioner, previous chair of the Information and Records Management Society; and chair of the Data Management Group of the PESGB & the Geoscience Information Group of the Geological Society. Paul is an editor of the IRMS Bulletin. He publishes extensively in the field of information and knowledge management & is author of a series of international training courses .Paul regularly runs data management workshops for the PESGB, and recently completed two tours of SE Asia, during which he training over 100 geoscientists, professional and technical staff in data & document management.