One of the fundamental principles of the GDPR is that businesses must be fully prepared and ready to executive the necessary notifications in the event of a breach of personal data.
The first step is to notify the relevant bodies within 72 hours of discovering the breach. Your Data Protection Officer (DPO) or person responsible for data protection must know who to notify and how to do so. It is best that you have this information on hand as part of your incident management plan; otherwise you will end up scrambling for contact details during what is already a stressful and high-pressure time.
Because each of your customers needs to be informed, email is usually the most convenient and efficient method of communication.
One of the best ways around this is to develop a template in advance that meets good practice guidelines for email. This can then be executed as and when required, thus reducing the amount of time wasted during an emergency. It’s essential that you are able to insert the critical information into your template quickly. It’s also advised that the email platform you use provides reports of time sent, successful or unsuccessful email delivery and open rates, in order to prove that you executed the notification plan properly.
Your data breach notification plan should be agreed between marketing, IT, compliance and legal.
Here is exactly what your notification plan should include:
1. A schedule of events
Have a plan that outlines each step of the notification process, with the aim of getting the notifications out within the 72 hours required time. Your schedule must also include any third party processors who will need to assist with the execution of your plan.
2. An up-to-date list of participants
Make sure your notification plan outlines exactly who will be doing what. For instance, who will be responsible for sending the notifications? Who is in charge of managing the plan?
3. A set of email templates
Prior to an incident taking place, you need to have a set of incident notification templates ready specific to each potential incident. These must also be instantly accessible in the event of an incident, so that you can insert the critical information. These templates must also be tested in advance, across different devices.
4. The ability to segment recipients
You will need to compile and potentially segment your customer list. Also, you need to be able to personalise each email being sent out, therefore you must have access to email addresses and first names.
Have a pre-approved budget in place so that you can activate your plan without needing to go through budget requests and approvals in times of urgency.
With a well-thought-out notification process, everything will be much more seamless and straightforward in the event of a data breach. If a third party is involved in your notification plan, make sure you have the budget to cover their fees.
6. Ability to send numerous messages quickly
As mentioned above, a data breach involves suddenly sending out a tonne of emails. Your data breach notification needs to be sent via a server that is able to distribute high volumes of emails on a consistent basis, so that a large distribution does not look like spam or lead to deliverability issues.
7. Appropriate technical setup
Your email platform must be correctly configured to deliver on your behalf with the correct DKIM and SPF settings (etc.).
If you’re concerned about data security, 8 Ways is here to help. Contact our team today to discover how we can assist you with matters related to data protection, brand protection, and much more.