This article by Alex Wall was originally published on the Compliance & Ethics Blog. Click here to view the original version of this article.
Data breaches and how to prepare for them are perennially hot topics among privacy and compliance professionals. We are well aware of the hazards involved in poor incident response, but taking a step back to evaluate incident response readiness can be helpful before your next incident occurs. Below are five key tips for incident response readiness:
Tip #1: Spend money to save money.
Push to give privacy its own budget. There is a push for privacy teams to be in charge of their own budgets within organizations (as opposed to reporting to security) because there are a number of potential conflicts of resources and interests. Consider:
- The 2016 Cost of Data Breach Study found the average consolidated total cost of a data breach grew from $3.8 million to $4 million this year. This is the cost of a single data breach, with additional losses associated with brand and reputational harm. In light of the real cost of non-compliance, making a relatively small investment in preventative measures, including staff hours, systems, and incident response preparedness tools, may well be worth the price tag.
- Under GDPR, companies will run the risk of fines that could reach 4 percent of global annual revenue for an entire conglomerate. The planning and systems that must be implemented to meet a May 2018 go-live deadline will require a significant investment.
- With the prevalence of data breach coverage in the media today, having a well-funded privacy team can be a market differentiator. For instance, Microsoft’s Brendon Lynch won the 2017 IAPP Vanguard Award at this year’s Global Privacy Summit, which assures the public and data protection authorities that leaders in the field of privacy are directly contributing to that country’s best practices with respect to personal data.
Tip #2: Identify your core and extended team NOW.
Identifying your team before an event occurs will help keep the process moving forward, and allows for a team to be familiar with each other and prepared to collaborate on short notice on privacy impact assessments and data incident response. Collaborating, with the assistance of appropriate software platforms, and discussing the multi-factor risk analysis process, will help to ensure consistency in assessment. Acting as a counselor and advisor, a privacy professional is in a position to identify and encourage collaboration among privacy-interested parties in an organization. To maximize the net value of data processed by the organization, it’s imperative to meet periodically to discuss concerns and find creative ways to improve compliance. Periodic meetings are also an opportunity to update the team on rapidly evolving breach privacy laws and breach notification standards, such as this year’s changes in the breach notification laws of New Mexico, Tennessee, the Philippines, and Japan.