Handling breaches: paging your incident manager!
GDPR in Practice: Compliance and Fines
Mamnoon Hadi
Head of Analytics & Insights at Readdle
Case study: Marriott GDPR violation
Discovery of the breach$^1$: in September 2018, Marriott International discovered that unauthorized access had been occurring in its Starwood guest reservation database since 2014
Data compromised: the breach exposed personal information of approximately 500 million guests, including names, addresses, phone numbers, email, passport numbers, dates of birth, gender, and payment card details
Delayed notification: Marriott failed to notify the Information Commissioner's Office (ICO) within the 72-hour window required by GDPR, This delay led to significant regulatory scrutiny and a substantial fine
Article 33 - Notification to supervisory authority
Key requirement:
- Organizations must notify the supervisory authority without undue delay and within 72 hours of becoming aware of a personal data breach
Information to provide:
- Nature of the breach - what happened and how it was discovered
- Categories of affected data subjects (example customers, employees)
- Types of personal data affected
- Possible consequences
- Measures taken or planned - Steps to mitigate the breach and prevent future incidents
Article 34 - Communication to data subjects
When notification to data subjects is required:
- If the breach is likely to result in a high risk to individuals' rights and freedoms, affected individuals must be informed without undue delay
Content of the notification:
- Nature of the breach - a clear, plain-language explanation
- Potential consequences - example fraud, identity theft
- Steps taken by the organization to contain the breach
- Advice for affected individuals - actions they should take (example changing passwords, monitoring bank accounts)
- Contact details - a designated point of contact for further assistance
Case study: impact - Marriott violation
Financial penalty:
- In October 2020, the UK's ICO fined Marriott International £18.4 million
Reputational damage:
- These breaches impact reputation and on top of it failing to comply with standard GDPR procedures further amplify the trust and brand reputation
Operational impact & cost:
- Marriott incurred nearly $30 million in recovery expenses, including costs related to investigating the breach, notifying impacted customers, providing year-long access to security monitoring software and developing an international call center
Best practices for data breach management
Best practices for data breach management
Implement robust incident response plans: develop and regularly update plans to ensure swift action during breaches
Train employees: educate staff on data protection principles and breach reporting procedures
Maintain clear communication channels: ensure timely and transparent communication with regulatory bodies and affected individuals
Regularly review security measures: continuously assess and enhance security protocols to prevent breaches
Root cause analysis and documentation: identify underlying issues, such as human error, process failures, or technical vulnerabilities and maintain detailed records of the breach
Let's practice!
GDPR in Practice: Compliance and Fines
