Featured in JEP’s Expert Panel – 4th July 2018
A:
In the last two posts, I examined the major areas of where businesses have struggled with their GDPR implementation. Today I look at a third area: having no incident response plan for a data breach or cyber security attack.
Seems obvious a response plan is essential for any organisation that is looking to avoid being on the “back foot” when faced with a data protection or cyber security incident. This plan should have all the important guidance, emergency procedures, key contact details of the “decision” makers, and a clearly defined, time specific, action list written down in one place.
A key risk of having no plan is that valuable time is lost scrambling around trying to gather information on data protection law, getting the list and locations of technology systems and software in use. A big hurdle could be realising that your technology service provider is not readily available to support your organisation within the required time period, so check you have a suitable emergency support plan in place.
So develop a response plan in order to handle responsibly incidents such as (a) data breach (b) cyber security and as good practice (c) data subject access requests. Train people about the plan, keep testing to ensure it is still relevant for your organisation every few months.