One of the core principles of the GDPR is that businesses must be prepped and ready to execute the requisite notifications in the event of a breach of personal data.
Firstly, the relevant bodies must be notified within 72 hours of discovering the breach. This requires that your Data Protection Officer (DPO) or person responsible for data protection, knows who to notify and how to do it.
Remember, that while the GDPR applies across the EU, there are data privacy bodies in each member state and you need to know who to notify and how. It is best to have this information on hand as part of your incident management plan, than to be scrambling for contact details when the pressure is on.
In the event of an incident involving customer data, the business must be able to notify all affected parties in a short time period, with the appropriate information. This could mean sending a message to each of your customers.
Email is the best notification channel for large volumes and detailed content
Email is a highly efficient channel through which to execute your notification plan, especially if you are notifying thousands of individuals. Email is also best when the information is detailed and too lengthy to include in a text message.
If you don’t have customer email addresses on record, you need to run a data gathering campaign, explaining why you are asking for email addresses and that this information will only be used for the purpose of incident notification. There will be no time to do this during an incident management process.
Develop a template that meets good practice guidelines for email and is tested across common devices. This reduces the time required to complete the campaign set up. You must be able to insert the critical information into the template quickly.
Make sure the email platform you use can provide reports of time sent, successful/ unsuccessful delivery, open rates – to prove that you executed the notification plan appropriately.
Creating an incident / breach notification plan
To get this right, it’s imperative to have a notification plan prepared that is agreed between all parties – marketing, IT, compliance and legal. Your notification plan should include the following:
- A schedule of events – have a time plan that details each step of the notification process, with the aim of getting the notifications out within the required time. This schedule must involve any third party processors that you will need to help execute your plan.
- An up-to-date list of participants – make sure it’s quite clear as to who is doing what. For example, consider who is responsible for sending the notification – does it sit with marketing or compliance? And who manages the plan?
- A set of email templates – you need to develop a set of incident notification templates and have them immediately accessible, in order to insert the critical information. These templates must be pre-tested across devices.
- Ability to select/segment recipients – you will need to compile and possibly segment your customer list. You must have access to email addresses and first names to personalize (who wants a crisis message that says “Dear valued customer”?)
- Budget – have a pre-approved budget assigned, so you can expedite your plan – you don’t want to go through budget requests and approvals when the clock is ticking. If a third party is involved in your notification plan, ensure that you have the budget to cover their fees.
- Ability to send millions of messages and quickly – you cannot go from sending zero emails on a platform to sending millions. Your incident notification needs to be sent via a server that distributes high volumes consistently, so that a large distribution will not look like spam and result in deliverability issues.
- Appropriate technical setup – The email platform must be correctly configured to deliver on your behalf – the correct SPF and DKIM settings, etc.
- Reporting – getting the right information back is crucial to show evidence of your notification process. The reports you receive need to show that the messages were sent within the time-frame, which were delivered and that you made every effort to get a message to the affected party – including repeat attempts to deliver to addresses that failed the first time.
Don’t leave your notification process to chance – rather have it well mapped out, with time frames and elements, such as templates and budget, on standby.