Steps your business should be taking NOW
GDPR requires organisations to maintain a plan to detect a data breach, regularly evaluate the effectiveness of security practices, and document evidence of compliance.
Your company is responsible for how you securely maintain the personal data that you collect from your customers. You will need to make sure you are familiar with the GDPR guidance on what to do in the event of a ‘personal data breach’. This is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
Establish where personal data is being held.
The GDPR is expansive and covers all IT systems, network, and devices, including mobile devices. It is essential that you take stock of all assets across your infrastructure and create an inventory so that more stringent controls to be applied.
New vulnerabilities in systems and applications arise almost daily. Your organisation must stay on top of these weaknesses with regular vulnerability scanning to identify where weaknesses exist that could be exploited.
Conduct risk assessments and apply threat models relevant to all departments of your business
Regularly test to gain assurance that security controls are working as designed.
Put in place threat detection controls to reliably inform you in a timely manner when a breach has occurred.
Document Response Plan
Have a documented and practised incident response plan.
Have a communication plan in place to notify relevant parties
A communication plan should include:
- The nature of the breach.
- The name and contact details of the organization’s data protection officer.
- The likely consequences of the breach.
- The measures you are taking or proposing to address the breach and mitigate its effects.