Email marketing is particularly vulnerable to personal data breaches and as such we must have procedures in place should the worst happen and everyone in your company must know what they should. Failure to conform to the requirements could be more costly than the loss of data.
We’ve recently covered what a data breach is, and remember it is a bit deeper than just loss or theft of your email marketing lists. There is a requirement under the soon to go live General Data Protection Regulations (GDPR) to follow certain specific actions. If you don’t you can be fined, and heavily.
The first essential is to have procedures in place. These need to include:
1/ A plan of action
You must have processes in place for the quick and effective response to a data breach. This is not a time for crisis management.
2/ Staff are suitable trained
All your staff should be able to recognise a data breach and aware of their individual responsibilities in the event of one occurring. Your staff should be confident enough to feel safe when reporting any suspected breach. They should also be aware as to whom they should report and how.
Consider having dedicated personnel, whether an individual or a team, to manage the breach and your responsibilities. Run test scenarios.
3/ Ascertain the seriousness of the breach
The risks to individuals and your company will vary depending on the nature of the breach. You need someone trained to assess how serious one is. They should be able to quickly establish the risks to individuals, your company and the data you hold.
4/ Know the basics
a/ The ICO must be informed within 72 hours of you becoming aware of a breach. This does not mean once you have full details but when it is clear there is a breach. If it turns out to be almost inconsequential then it might be of no further interest to the ICO, but you will have fulfilled that requirement if the worst has happened
b/ The ICO requires certain details. Ensure your team knows what these are. However, lacking full information is not a reason to delay notification.
c/ You will need to have processes in place to inform individuals, and without undue delay, in certain circumstances. The GDPR stipulates what information should be given.
d/ Documentation
There is a new requirement for documentation in the GDPR. We will cover this in a future article although you should have familiarised yourself with the requirements and have developed plans for compliance by now. Mind you, it is something that you should have been doing as a matter of course for some time as it gives a strong element of self-protection.
In a future article we will cover the possible damage that can be caused to an individual in the event of a breach. This should be your primary concern. The ICO will check what you do. Without being mercenary, one should also remember the value of your email marketing lists.
Useful link: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/