SlideShare a Scribd company logo

Personal Data Breach Notification

T
TALOSCommunications

The document discusses recommendations for managing personal data breaches in the financial services industry. It outlines the 6 key steps required by GDPR regulations: 1) technical incident response, 2) reporting to authorities, 3) identifying affected individuals, 4) notifying individuals and providing access to personal data, 5) long-term measures like litigation preparation, and 6) public relations. Managing these mandatory processes requires interdisciplinary expertise to avoid further financial and reputational damage from errors or inefficiencies. Organizations should leverage specialized providers with legal and project management skills to properly coordinate the response.

Business
1 of 6
Download to read offline
Publication © 2019 TALOS Management Consultants. All rights reserved. | www.talos-consultants.com Personal Data Breach Notification as a Service Recommendations for the Financial Service Industry by Christian Scholten and Thomas Eustorgi In today’s digitalized world, personal data breaches are being discovered and re- ported more and more frequently.1 Particularly vulnerable is the financial service industry as it deals with large amounts of sensitive data and heightened scrutiny from regulators. The consequences of a data breach can be severe, causing drastic operational, financial and reputational damage. Banks and other financial institutions require technical incident response pro- cesses for breach detection, containment/eradication and data recovery. From an operational of view, financial institutions need a process to communicate with supervisory authorities, affected clients, and the public to provide concerned in- dividuals with relevant information and access to affected data. These processes bear substantial operational and financial risks wherefore organizations are well advised to build on expertise of professional service providers for legal advice, planning and execution.
Publication © 2019 TALOS Management Consultants. All rights reserved. | www.talos-consultants.com2 Personal Data Breach and GDPR The General Data Protection Regulation (GDPR) defines the rights of clients and em- ployees in case of a personal data breach. Pur- suant to GDPR art. 32, the data controller (e.g. a bank) must report any personal data breach to the supervisory authority within 72 hours after becoming aware of it. The data controller is also legally bound to notify the affected data subjects (clients, employees, etc.), if the per- sonal data breach is likely to result in a high risk to the rights and freedoms2 of natural persons (GDPR art. 33). The personal data breach must be communi- cated to the data subjects via appropriate chan- Data Breach Notification as a Service nels to ensure that the adequate level of detail is conveyed in a concise, transparent and intel- ligible manner. The data controller must notify each data subjects individually and preferably in writing, unless this constitutes a dispropor- tionate effort in which case the data controller might communicate the breach publicly. More- over, the data controller is obligated to estab- lish a point of contact (helpline) and to provide access to personal data including a copy of the data that undergoes processing (GDPR art. 15). In certain circumstances, this may include handing out a document containing personal data such as a copy of an email.3 Figure 1: Notification process under GDPR Footnotes: 1 Some EU Data Protection Authorities receive as many as 70 data breach notifications per 100.000 inhabitants and year (GDPR Today, www.gdprtoday.org/ gdpr-in-numbers-4) 2 The risk to the rights and freedoms includes risk of discrimination, identity theft, financial loss, or damage of reputation (cp. GDPR recital 75) The data breach response process can be bro- ken down into six main process steps (fig. 2). Step 1 is the technical incident response pro- cess for the detection of a breach, its contain- ment as well as eradication and data recovery. It is also part of the technical incident response process to analyse the breach, identify the af- fected data, and to implement customized im- provement actions. In a next step (step 2), the organization will as- sess how the breach has to be reported to the data protection authorities and other regula- tors. A data breach must be reported to the su- pervisory authority without undue delay, usual- ly within 72 hours after having become aware of the breach. This is not a one-off reporting, rather, the organization needs to maintain an effective relationship with authorities from this point forward. Profound professional legal ad- vice is key in this step of the process. A legal assessment will provide practical guidance on whether and how to notify the affected data subjects (i.e. via mail or publicly) and answer more pragmatic questions, such as which role holders of an account are to be notified or how to contact former clients with electronic mail 3 For more details, see Activity Report Data Protection Authority Hessen, Germany
Publication © 2019 TALOS Management Consultants. All rights reserved. | www.talos-consultants.com3 delivery. The organization will use the results from the legal assessment to develop an appro- priate response strategy and to plan the com- munication of the breach to affected data sub- jects and the public. In step 3, the organization requires a methodol- ogy for the identification of the affected popula- tion of data subjects, which usually combines automated data analysis with manual reviews. As a simple example, an organization could search the breached data for account numbers followed by a false-positive review. Once the population is identified, address data of affect- ed subjects will need to be queried, cleaned or even manually supplemented. This is particu- larly relevant for former clients and if the notifi- cation address differs from the regular mailing address. Prior to the actual notification of data subjects, organisations need to nominate a point of con- tact for the data subjects and develop appropri- ate talking points. Some organizations imple- ment a two-layered approach so that the first level point of contact can filter complex situa- tions to a more experienced second level sup- port. To ensure and control the consistency of messages to data subjects, only the dedicated point of contact should be authorized to com- municate about matters concerning the breach. In step 4, all affected data subjects are notified, typically either via electronical or physical mail. This may be conducted with a staggered ap- proach to better handle the amount of potential replies. A certain proportion of data subjects will request access to the affected data or even all data and the organization must be prepared to deliver access to data within a reasonable timeframe, usually within 30 days from the re- quest4 . To do so, the organization requires a standardized method on collecting the data and preparing the information by data subject. Data relating to a third parties may need to be redacted – usually by a combination of auto-re- daction and manual review to hide references to third parties. Access to data is to be provid- ed in the most efficient way, preferably in an electronic format. All activities in this step, i.e. any mailing, client contact, request or provision of access, are tracked on an individual basis and, ideally, integrated into a workflow man- agement tool. It may take several months from becoming aware of the breach until completion of step 4. Still, some of the measures are even more long- term. These measures include the preparation and response to litigation or the implementa- tion of additional preventive measures to re- duce the risk of a future breach (step 5). Figure 2: The required 6 steps following a personal data breach Footnotes: 4 That period may be extended by another 60 days taking into account the complexity and number of requests (GDPR art. 12)
Publication © 2019 TALOS Management Consultants. All rights reserved. | www.talos-consultants.com4 As discussed in the introductory paragraph, a data breach may result in significant reputa- tional risks. It is key that the organization keeps control and sovereignty of the message to cli- ents and the public even before the actual noti- fication to data subjects. This is achieved with an effective public relation and media commu- nication (step 6).
Publication © 2019 TALOS Management Consultants. All rights reserved. | www.talos-consultants.com5 A personal data breach triggers a number of mandatory operational processes, including the notification to supervisory authorities, the identification of affected data and individuals, the communication to clients and the provision of access to data. If these operational process- es are not managed and staffed properly, er- rors and other inefficiencies will result in fur- ther financial loss and reputational damage. Conclusion Managing these processes requires an inter- disciplinary approach, the knowledge and tools of specialized providers, legal expertise and project management skills. Organizations are well advised to build on the expertise and expe- rience of professional providers, which are ca- pable to manage and coordinate the interdisci- plinary aspects of a data breach notification.
Publication © 2019 TALOS Management Consultants. All rights reserved. | www.talos-consultants.com6 TALOS is continuously striving to shape new standards in management consulting. As a specialized consulting boutique of Swiss origin, we are serving the European financial services industry from our local offices in Zurich and Luxembourg. Founded by experienced management consul- tants in 2008, we have grown since then to a renowned consulting company with a comple- mentary service offering across various disci- plines. With our tailored hands-on approach, we ac- company our clients in mastering the funda- mental challenges the industry is facing. We are a trusted partner for our clients helping them to increase their organizational effective- ness and operational efficiency. We strive to be recognized as one of the lead- ing management consulting boutiques for the European financial services industry. Zurich TALOS Management Consultants Bleicherweg 45 CH-8002 Zürich Tel. +41 44 380 14 40 Luxembourg TALOS Management Consultants 6, Rives de Clausen L-2165 Luxembourg Tel. +352 26 20 23 54 www.talos-consultants.com www.shapenewstandards.com Who we are Your Contact Christian is Partner at TALOS and has been working as an internal consultant for a German logistics group since 2005 and as a manage- ment consultant since 2007 (Accenture, TALOS). Christian Scholten Partner christian.scholten@talos-consultants.ch Thomas is Manager and joined TALOS in 2016. He has over 8 years of experience in the finan- cial services industry with a global career in Switzerland, USA, Spain and South Korea. Thomas brings in functional expertise and pro- ject experience in the fields of regulatory com- pliance, outsourcing, and financial manage- ment. Thomas Eustorgi Manager thomas.eustorgi@talos-consultants.ch

Recommended

Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Ethan S. Burger
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
spencerharry
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
audrey miguel
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
DataMotion
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
Data Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being UnpreparedData Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being Unprepared
haynormania
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Envision Technology Advisors
 
WhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA ComplianceWhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA Compliance
Succor Consulting Group, Inc.
 

Recommended

Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Ethan S. Burger
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
spencerharry
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
audrey miguel
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
DataMotion
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
Data Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being UnpreparedData Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being Unprepared
haynormania
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Envision Technology Advisors
 
WhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA ComplianceWhitePaper- Archiving Supports HIPAA Compliance
WhitePaper- Archiving Supports HIPAA Compliance
Succor Consulting Group, Inc.
 
Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010
madamseane
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
Dmcenter
 
Govt authentication brief ca v
Govt authentication brief ca vGovt authentication brief ca v
Govt authentication brief ca v
Mike Kuhn
 
Acc 675 control audit final project
Acc 675 control audit final projectAcc 675 control audit final project
Acc 675 control audit final project
Kelly Giambra
 
Michael Josephs
Michael JosephsMichael Josephs
Michael Josephs
daveGBE
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106
Ted Richmond
 
Date Use Rules in Different Business Scenarios:It's All Contextual
Date Use Rules in Different Business Scenarios:It's All Contextual Date Use Rules in Different Business Scenarios:It's All Contextual
Date Use Rules in Different Business Scenarios:It's All Contextual
William Tanenbaum
 
Date Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All ContextualDate Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All Contextual
William Tanenbaum
 
Draft TEFCA
Draft TEFCADraft TEFCA
Draft TEFCA
Brian Ahier
 
Date Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All Contextual Date Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All Contextual
William Tanenbaum
 
Data goverance two_8.2.18 - copy
Data goverance two_8.2.18 - copyData goverance two_8.2.18 - copy
Data goverance two_8.2.18 - copy
Sandra (Sandy) Dunn
 
Defeating Cyber Threats
Defeating Cyber ThreatsDefeating Cyber Threats
Defeating Cyber Threats
Envision Technology Advisors
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
Milliman Payor E Savings Report Final
Milliman Payor E Savings Report FinalMilliman Payor E Savings Report Final
Milliman Payor E Savings Report Final
Mark Bergen
 
Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunn...
Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunn...Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunn...
Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunn...
David Cunningham
 
Data Sovereignty and the Cloud
Data Sovereignty and the CloudData Sovereignty and the Cloud
Data Sovereignty and the Cloud
IESL - The Institution of Engineers, Sri Lanka
 
Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
Ritambhara Agrawal
 
Controlling The Cost Of Discovery In A Digital Age.Doc
Controlling The Cost Of Discovery In A Digital Age.DocControlling The Cost Of Discovery In A Digital Age.Doc
Controlling The Cost Of Discovery In A Digital Age.Doc
David Haines
 
GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
Jean-Michel Tyszka
 
The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party Risk
Elizabeth Dimit
 
Aon GDPR white paper
Aon GDPR white paperAon GDPR white paper
Aon GDPR white paper
Graeme Cross
 
Accounting
AccountingAccounting
Accounting
jerryrabin
 

More Related Content

What's hot

Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010
madamseane
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
Dmcenter
 
Govt authentication brief ca v
Govt authentication brief ca vGovt authentication brief ca v
Govt authentication brief ca v
Mike Kuhn
 
Acc 675 control audit final project
Acc 675 control audit final projectAcc 675 control audit final project
Acc 675 control audit final project
Kelly Giambra
 
Michael Josephs
Michael JosephsMichael Josephs
Michael Josephs
daveGBE
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106
Ted Richmond
 
Date Use Rules in Different Business Scenarios:It's All Contextual
Date Use Rules in Different Business Scenarios:It's All Contextual Date Use Rules in Different Business Scenarios:It's All Contextual
Date Use Rules in Different Business Scenarios:It's All Contextual
William Tanenbaum
 
Date Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All ContextualDate Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All Contextual
William Tanenbaum
 
Draft TEFCA
Draft TEFCADraft TEFCA
Draft TEFCA
Brian Ahier
 
Date Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All Contextual Date Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All Contextual
William Tanenbaum
 
Data goverance two_8.2.18 - copy
Data goverance two_8.2.18 - copyData goverance two_8.2.18 - copy
Data goverance two_8.2.18 - copy
Sandra (Sandy) Dunn
 
Defeating Cyber Threats
Defeating Cyber ThreatsDefeating Cyber Threats
Defeating Cyber Threats
Envision Technology Advisors
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
Milliman Payor E Savings Report Final
Milliman Payor E Savings Report FinalMilliman Payor E Savings Report Final
Milliman Payor E Savings Report Final
Mark Bergen
 
Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunn...
Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunn...Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunn...
Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunn...
David Cunningham
 
Data Sovereignty and the Cloud
Data Sovereignty and the CloudData Sovereignty and the Cloud
Data Sovereignty and the Cloud
IESL - The Institution of Engineers, Sri Lanka
 
Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
Ritambhara Agrawal
 
Controlling The Cost Of Discovery In A Digital Age.Doc
Controlling The Cost Of Discovery In A Digital Age.DocControlling The Cost Of Discovery In A Digital Age.Doc
Controlling The Cost Of Discovery In A Digital Age.Doc
David Haines
 

What's hot (18)

Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010Mass Information Security Requirements January 2010
Mass Information Security Requirements January 2010
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
 
Govt authentication brief ca v
Govt authentication brief ca vGovt authentication brief ca v
Govt authentication brief ca v
 
Acc 675 control audit final project
Acc 675 control audit final projectAcc 675 control audit final project
Acc 675 control audit final project
 
Michael Josephs
Michael JosephsMichael Josephs
Michael Josephs
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106
 
Date Use Rules in Different Business Scenarios:It's All Contextual
Date Use Rules in Different Business Scenarios:It's All Contextual Date Use Rules in Different Business Scenarios:It's All Contextual
Date Use Rules in Different Business Scenarios:It's All Contextual
 
Date Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All ContextualDate Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All Contextual
 
Draft TEFCA
Draft TEFCADraft TEFCA
Draft TEFCA
 
Date Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All Contextual Date Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All Contextual
 
Data goverance two_8.2.18 - copy
Data goverance two_8.2.18 - copyData goverance two_8.2.18 - copy
Data goverance two_8.2.18 - copy
 
Defeating Cyber Threats
Defeating Cyber ThreatsDefeating Cyber Threats
Defeating Cyber Threats
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Milliman Payor E Savings Report Final
Milliman Payor E Savings Report FinalMilliman Payor E Savings Report Final
Milliman Payor E Savings Report Final
 
Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunn...
Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunn...Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunn...
Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunn...
 
Data Sovereignty and the Cloud
Data Sovereignty and the CloudData Sovereignty and the Cloud
Data Sovereignty and the Cloud
 
Legal issues in cloud computing
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computing
 
Controlling The Cost Of Discovery In A Digital Age.Doc
Controlling The Cost Of Discovery In A Digital Age.DocControlling The Cost Of Discovery In A Digital Age.Doc
Controlling The Cost Of Discovery In A Digital Age.Doc
 

Similar to Personal Data Breach Notification

GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
Jean-Michel Tyszka
 
The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party Risk
Elizabeth Dimit
 
Aon GDPR white paper
Aon GDPR white paperAon GDPR white paper
Aon GDPR white paper
Graeme Cross
 
Accounting
AccountingAccounting
Accounting
jerryrabin
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)
Gerson Trigueiros
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security Fundamentals
Sarah Fane
 
GDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the BankGDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the Bank
"John "Jeb"" Beckwith
 
5 Questions Financial Institutions Should Ask About GDPR Readiness
5 Questions Financial Institutions Should Ask About GDPR Readiness5 Questions Financial Institutions Should Ask About GDPR Readiness
5 Questions Financial Institutions Should Ask About GDPR Readiness
Appian
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbean
EquiGov Institute
 
Janrain Identity Cloud GDPR Assessment Kit
Janrain Identity Cloud GDPR Assessment Kit Janrain Identity Cloud GDPR Assessment Kit
Janrain Identity Cloud GDPR Assessment Kit
Sean Bailey
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
DataMotion
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014
Adriana Sanford
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data Privacy
Gigya
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial Services
Echoworx
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4
Meg Weber
 
2013 cost of data breach study - France
2013 cost of data breach study - France2013 cost of data breach study - France
2013 cost of data breach study - France
Bee_Ware
 
Enterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to AdaptEnterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to Adapt
Capgemini
 
2014-2015-data-breach-response-guide
2014-2015-data-breach-response-guide2014-2015-data-breach-response-guide
2014-2015-data-breach-response-guide
James Fisher
 
For digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a mustFor digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a must
Grant Thornton LLP
 

Similar to Personal Data Breach Notification (20)

GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
 
The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party Risk
 
Aon GDPR white paper
Aon GDPR white paperAon GDPR white paper
Aon GDPR white paper
 
Accounting
AccountingAccounting
Accounting
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
 
Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security Fundamentals
 
GDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the BankGDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the Bank
 
5 Questions Financial Institutions Should Ask About GDPR Readiness
5 Questions Financial Institutions Should Ask About GDPR Readiness5 Questions Financial Institutions Should Ask About GDPR Readiness
5 Questions Financial Institutions Should Ask About GDPR Readiness
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbean
 
Janrain Identity Cloud GDPR Assessment Kit
Janrain Identity Cloud GDPR Assessment Kit Janrain Identity Cloud GDPR Assessment Kit
Janrain Identity Cloud GDPR Assessment Kit
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data Privacy
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial Services
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4
 
2013 cost of data breach study - France
2013 cost of data breach study - France2013 cost of data breach study - France
2013 cost of data breach study - France
 
Enterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to AdaptEnterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to Adapt
 
2014-2015-data-breach-response-guide
2014-2015-data-breach-response-guide2014-2015-data-breach-response-guide
2014-2015-data-breach-response-guide
 
For digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a mustFor digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a must
 

More from TALOSCommunications

Data Breach Notification
Data Breach NotificationData Breach Notification
Data Breach Notification
TALOSCommunications
 
DSGVO
DSGVODSGVO
DSGVO
TALOSCommunications
 
AIFM Pitfalls
AIFM PitfallsAIFM Pitfalls
AIFM Pitfalls
TALOSCommunications
 
Compliance Organisation Health Check
Compliance Organisation Health CheckCompliance Organisation Health Check
Compliance Organisation Health Check
TALOSCommunications
 
LIBOR DE
LIBOR DELIBOR DE
LIBOR DE
TALOSCommunications
 
LIBOR
LIBORLIBOR
LIBOR
TALOSCommunications
 
TALOS Luxembourg FR
TALOS Luxembourg FRTALOS Luxembourg FR
TALOS Luxembourg FR
TALOSCommunications
 
TALOS Luxembourg EN
TALOS Luxembourg ENTALOS Luxembourg EN
TALOS Luxembourg EN
TALOSCommunications
 
TALOS Luxembourg DE
TALOS Luxembourg DETALOS Luxembourg DE
TALOS Luxembourg DE
TALOSCommunications
 
goAML
goAMLgoAML
goAML
TALOSCommunications
 
Blockchain
BlockchainBlockchain
Blockchain
TALOSCommunications
 
Revidiertes Geldwaeschereigesetz
Revidiertes GeldwaeschereigesetzRevidiertes Geldwaeschereigesetz
Revidiertes Geldwaeschereigesetz
TALOSCommunications
 
Digital Transformation
Digital TransformationDigital Transformation
Digital Transformation
TALOSCommunications
 
Digital Transformation
Digital TransformationDigital Transformation
Digital Transformation
TALOSCommunications
 
Kostentransparenz unter FIDLEG und MiFID II
Kostentransparenz unter FIDLEG und MiFID IIKostentransparenz unter FIDLEG und MiFID II
Kostentransparenz unter FIDLEG und MiFID II
TALOSCommunications
 
Successfully Managing Remediation Projects
Successfully Managing Remediation ProjectsSuccessfully Managing Remediation Projects
Successfully Managing Remediation Projects
TALOSCommunications
 
MiFID II und PRIIPs - Das erste Quartal
MiFID II und PRIIPs - Das erste QuartalMiFID II und PRIIPs - Das erste Quartal
MiFID II und PRIIPs - Das erste Quartal
TALOSCommunications
 
Choices on your digital path
Choices on your digital pathChoices on your digital path
Choices on your digital path
TALOSCommunications
 
Le règlement général sur la protection des données (« RGPD ») chez les banque...
Le règlement général sur la protection des données (« RGPD ») chez les banque...Le règlement général sur la protection des données (« RGPD ») chez les banque...
Le règlement général sur la protection des données (« RGPD ») chez les banque...
TALOSCommunications
 
Die Datenschutzgrundverordnung («DSGVO») bei Banken und Finanzdienstleistern:...
Die Datenschutzgrundverordnung («DSGVO») bei Banken und Finanzdienstleistern:...Die Datenschutzgrundverordnung («DSGVO») bei Banken und Finanzdienstleistern:...
Die Datenschutzgrundverordnung («DSGVO») bei Banken und Finanzdienstleistern:...
TALOSCommunications
 

More from TALOSCommunications (20)

Data Breach Notification
Data Breach NotificationData Breach Notification
Data Breach Notification
 
DSGVO
DSGVODSGVO
DSGVO
 
AIFM Pitfalls
AIFM PitfallsAIFM Pitfalls
AIFM Pitfalls
 
Compliance Organisation Health Check
Compliance Organisation Health CheckCompliance Organisation Health Check
Compliance Organisation Health Check
 
LIBOR DE
LIBOR DELIBOR DE
LIBOR DE
 
LIBOR
LIBORLIBOR
LIBOR
 
TALOS Luxembourg FR
TALOS Luxembourg FRTALOS Luxembourg FR
TALOS Luxembourg FR
 
TALOS Luxembourg EN
TALOS Luxembourg ENTALOS Luxembourg EN
TALOS Luxembourg EN
 
TALOS Luxembourg DE
TALOS Luxembourg DETALOS Luxembourg DE
TALOS Luxembourg DE
 
goAML
goAMLgoAML
goAML
 
Blockchain
BlockchainBlockchain
Blockchain
 
Revidiertes Geldwaeschereigesetz
Revidiertes GeldwaeschereigesetzRevidiertes Geldwaeschereigesetz
Revidiertes Geldwaeschereigesetz
 
Digital Transformation
Digital TransformationDigital Transformation
Digital Transformation
 
Digital Transformation
Digital TransformationDigital Transformation
Digital Transformation
 
Kostentransparenz unter FIDLEG und MiFID II
Kostentransparenz unter FIDLEG und MiFID IIKostentransparenz unter FIDLEG und MiFID II
Kostentransparenz unter FIDLEG und MiFID II
 
Successfully Managing Remediation Projects
Successfully Managing Remediation ProjectsSuccessfully Managing Remediation Projects
Successfully Managing Remediation Projects
 
MiFID II und PRIIPs - Das erste Quartal
MiFID II und PRIIPs - Das erste QuartalMiFID II und PRIIPs - Das erste Quartal
MiFID II und PRIIPs - Das erste Quartal
 
Choices on your digital path
Choices on your digital pathChoices on your digital path
Choices on your digital path
 
Le règlement général sur la protection des données (« RGPD ») chez les banque...
Le règlement général sur la protection des données (« RGPD ») chez les banque...Le règlement général sur la protection des données (« RGPD ») chez les banque...
Le règlement général sur la protection des données (« RGPD ») chez les banque...
 
Die Datenschutzgrundverordnung («DSGVO») bei Banken und Finanzdienstleistern:...
Die Datenschutzgrundverordnung («DSGVO») bei Banken und Finanzdienstleistern:...Die Datenschutzgrundverordnung («DSGVO») bei Banken und Finanzdienstleistern:...
Die Datenschutzgrundverordnung («DSGVO») bei Banken und Finanzdienstleistern:...
 

Recently uploaded

Understanding User Needs and Satisfying Them
Understanding User Needs and Satisfying ThemUnderstanding User Needs and Satisfying Them
Understanding User Needs and Satisfying Them
Aggregage
 
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta MatkaDpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
➒➌➎➏➑➐➋➑➐➐Dpboss Matka Guessing Satta Matka Kalyan Chart Indian Matka
 
Training my puppy and implementation in this story
Training my puppy and implementation in this storyTraining my puppy and implementation in this story
Training my puppy and implementation in this story
WilliamRodrigues148
 
Mastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnapMastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnap
Norma Mushkat Gaffin
 
Best Forex Brokers Comparison in INDIA 2024
Best Forex Brokers Comparison in INDIA 2024Best Forex Brokers Comparison in INDIA 2024
Best Forex Brokers Comparison in INDIA 2024
Top Forex Brokers Review
 
LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024
Lital Barkan
 
Best practices for project execution and delivery
Best practices for project execution and deliveryBest practices for project execution and delivery
Best practices for project execution and delivery
CLIVE MINCHIN
 
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
Lviv Startup Club
 
Business storytelling: key ingredients to a story
Business storytelling: key ingredients to a storyBusiness storytelling: key ingredients to a story
Business storytelling: key ingredients to a story
Alexandra Fulford
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
agatadrynko
 
The Evolution and Impact of OTT Platforms: A Deep Dive into the Future of Ent...
The Evolution and Impact of OTT Platforms: A Deep Dive into the Future of Ent...The Evolution and Impact of OTT Platforms: A Deep Dive into the Future of Ent...
The Evolution and Impact of OTT Platforms: A Deep Dive into the Future of Ent...
ABHILASH DUTTA
 
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s DholeraTata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Avirahi City Dholera
 
-- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month ---- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month --
NZSG
 
Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024
Kirill Klimov
 
Chapter 7 Final business management sciences .ppt
Chapter 7 Final business management sciences .pptChapter 7 Final business management sciences .ppt
Chapter 7 Final business management sciences .ppt
ssuser567e2d
 
BeMetals Investor Presentation_June 1, 2024.pdf
BeMetals Investor Presentation_June 1, 2024.pdfBeMetals Investor Presentation_June 1, 2024.pdf
BeMetals Investor Presentation_June 1, 2024.pdf
DerekIwanaka1
 
Authentically Social Presented by Corey Perlman
Authentically Social Presented by Corey PerlmanAuthentically Social Presented by Corey Perlman
Authentically Social Presented by Corey Perlman
Corey Perlman, Social Media Speaker and Consultant
 
Industrial Tech SW: Category Renewal and Creation
Industrial Tech SW: Category Renewal and CreationIndustrial Tech SW: Category Renewal and Creation
Industrial Tech SW: Category Renewal and Creation
Christian Dahlen
 
Part 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 SlowdownPart 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 Slowdown
jeffkluth1
 
Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431
ecamare2
 

Recently uploaded (20)

Understanding User Needs and Satisfying Them
Understanding User Needs and Satisfying ThemUnderstanding User Needs and Satisfying Them
Understanding User Needs and Satisfying Them
 
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta MatkaDpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
Dpboss Matka Guessing Satta Matta Matka Kalyan Chart Satta Matka
 
Training my puppy and implementation in this story
Training my puppy and implementation in this storyTraining my puppy and implementation in this story
Training my puppy and implementation in this story
 
Mastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnapMastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnap
 
Best Forex Brokers Comparison in INDIA 2024
Best Forex Brokers Comparison in INDIA 2024Best Forex Brokers Comparison in INDIA 2024
Best Forex Brokers Comparison in INDIA 2024
 
LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024
 
Best practices for project execution and delivery
Best practices for project execution and deliveryBest practices for project execution and delivery
Best practices for project execution and delivery
 
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
Evgen Osmak: Methods of key project parameters estimation: from the shaman-in...
 
Business storytelling: key ingredients to a story
Business storytelling: key ingredients to a storyBusiness storytelling: key ingredients to a story
Business storytelling: key ingredients to a story
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
 
The Evolution and Impact of OTT Platforms: A Deep Dive into the Future of Ent...
The Evolution and Impact of OTT Platforms: A Deep Dive into the Future of Ent...The Evolution and Impact of OTT Platforms: A Deep Dive into the Future of Ent...
The Evolution and Impact of OTT Platforms: A Deep Dive into the Future of Ent...
 
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s DholeraTata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
 
-- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month ---- June 2024 is National Volunteer Month --
-- June 2024 is National Volunteer Month --
 
Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024
 
Chapter 7 Final business management sciences .ppt
Chapter 7 Final business management sciences .pptChapter 7 Final business management sciences .ppt
Chapter 7 Final business management sciences .ppt
 
BeMetals Investor Presentation_June 1, 2024.pdf
BeMetals Investor Presentation_June 1, 2024.pdfBeMetals Investor Presentation_June 1, 2024.pdf
BeMetals Investor Presentation_June 1, 2024.pdf
 
Authentically Social Presented by Corey Perlman
Authentically Social Presented by Corey PerlmanAuthentically Social Presented by Corey Perlman
Authentically Social Presented by Corey Perlman
 
Industrial Tech SW: Category Renewal and Creation
Industrial Tech SW: Category Renewal and CreationIndustrial Tech SW: Category Renewal and Creation
Industrial Tech SW: Category Renewal and Creation
 
Part 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 SlowdownPart 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 Slowdown
 
Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431
 

Personal Data Breach Notification

  • 1. Publication © 2019 TALOS Management Consultants. All rights reserved. | www.talos-consultants.com Personal Data Breach Notification as a Service Recommendations for the Financial Service Industry by Christian Scholten and Thomas Eustorgi In today’s digitalized world, personal data breaches are being discovered and re- ported more and more frequently.1 Particularly vulnerable is the financial service industry as it deals with large amounts of sensitive data and heightened scrutiny from regulators. The consequences of a data breach can be severe, causing drastic operational, financial and reputational damage. Banks and other financial institutions require technical incident response pro- cesses for breach detection, containment/eradication and data recovery. From an operational of view, financial institutions need a process to communicate with supervisory authorities, affected clients, and the public to provide concerned in- dividuals with relevant information and access to affected data. These processes bear substantial operational and financial risks wherefore organizations are well advised to build on expertise of professional service providers for legal advice, planning and execution.
  • 2. Publication © 2019 TALOS Management Consultants. All rights reserved. | www.talos-consultants.com2 Personal Data Breach and GDPR The General Data Protection Regulation (GDPR) defines the rights of clients and em- ployees in case of a personal data breach. Pur- suant to GDPR art. 32, the data controller (e.g. a bank) must report any personal data breach to the supervisory authority within 72 hours after becoming aware of it. The data controller is also legally bound to notify the affected data subjects (clients, employees, etc.), if the per- sonal data breach is likely to result in a high risk to the rights and freedoms2 of natural persons (GDPR art. 33). The personal data breach must be communi- cated to the data subjects via appropriate chan- Data Breach Notification as a Service nels to ensure that the adequate level of detail is conveyed in a concise, transparent and intel- ligible manner. The data controller must notify each data subjects individually and preferably in writing, unless this constitutes a dispropor- tionate effort in which case the data controller might communicate the breach publicly. More- over, the data controller is obligated to estab- lish a point of contact (helpline) and to provide access to personal data including a copy of the data that undergoes processing (GDPR art. 15). In certain circumstances, this may include handing out a document containing personal data such as a copy of an email.3 Figure 1: Notification process under GDPR Footnotes: 1 Some EU Data Protection Authorities receive as many as 70 data breach notifications per 100.000 inhabitants and year (GDPR Today, www.gdprtoday.org/ gdpr-in-numbers-4) 2 The risk to the rights and freedoms includes risk of discrimination, identity theft, financial loss, or damage of reputation (cp. GDPR recital 75) The data breach response process can be bro- ken down into six main process steps (fig. 2). Step 1 is the technical incident response pro- cess for the detection of a breach, its contain- ment as well as eradication and data recovery. It is also part of the technical incident response process to analyse the breach, identify the af- fected data, and to implement customized im- provement actions. In a next step (step 2), the organization will as- sess how the breach has to be reported to the data protection authorities and other regula- tors. A data breach must be reported to the su- pervisory authority without undue delay, usual- ly within 72 hours after having become aware of the breach. This is not a one-off reporting, rather, the organization needs to maintain an effective relationship with authorities from this point forward. Profound professional legal ad- vice is key in this step of the process. A legal assessment will provide practical guidance on whether and how to notify the affected data subjects (i.e. via mail or publicly) and answer more pragmatic questions, such as which role holders of an account are to be notified or how to contact former clients with electronic mail 3 For more details, see Activity Report Data Protection Authority Hessen, Germany
  • 3. Publication © 2019 TALOS Management Consultants. All rights reserved. | www.talos-consultants.com3 delivery. The organization will use the results from the legal assessment to develop an appro- priate response strategy and to plan the com- munication of the breach to affected data sub- jects and the public. In step 3, the organization requires a methodol- ogy for the identification of the affected popula- tion of data subjects, which usually combines automated data analysis with manual reviews. As a simple example, an organization could search the breached data for account numbers followed by a false-positive review. Once the population is identified, address data of affect- ed subjects will need to be queried, cleaned or even manually supplemented. This is particu- larly relevant for former clients and if the notifi- cation address differs from the regular mailing address. Prior to the actual notification of data subjects, organisations need to nominate a point of con- tact for the data subjects and develop appropri- ate talking points. Some organizations imple- ment a two-layered approach so that the first level point of contact can filter complex situa- tions to a more experienced second level sup- port. To ensure and control the consistency of messages to data subjects, only the dedicated point of contact should be authorized to com- municate about matters concerning the breach. In step 4, all affected data subjects are notified, typically either via electronical or physical mail. This may be conducted with a staggered ap- proach to better handle the amount of potential replies. A certain proportion of data subjects will request access to the affected data or even all data and the organization must be prepared to deliver access to data within a reasonable timeframe, usually within 30 days from the re- quest4 . To do so, the organization requires a standardized method on collecting the data and preparing the information by data subject. Data relating to a third parties may need to be redacted – usually by a combination of auto-re- daction and manual review to hide references to third parties. Access to data is to be provid- ed in the most efficient way, preferably in an electronic format. All activities in this step, i.e. any mailing, client contact, request or provision of access, are tracked on an individual basis and, ideally, integrated into a workflow man- agement tool. It may take several months from becoming aware of the breach until completion of step 4. Still, some of the measures are even more long- term. These measures include the preparation and response to litigation or the implementa- tion of additional preventive measures to re- duce the risk of a future breach (step 5). Figure 2: The required 6 steps following a personal data breach Footnotes: 4 That period may be extended by another 60 days taking into account the complexity and number of requests (GDPR art. 12)
  • 4. Publication © 2019 TALOS Management Consultants. All rights reserved. | www.talos-consultants.com4 As discussed in the introductory paragraph, a data breach may result in significant reputa- tional risks. It is key that the organization keeps control and sovereignty of the message to cli- ents and the public even before the actual noti- fication to data subjects. This is achieved with an effective public relation and media commu- nication (step 6).
  • 5. Publication © 2019 TALOS Management Consultants. All rights reserved. | www.talos-consultants.com5 A personal data breach triggers a number of mandatory operational processes, including the notification to supervisory authorities, the identification of affected data and individuals, the communication to clients and the provision of access to data. If these operational process- es are not managed and staffed properly, er- rors and other inefficiencies will result in fur- ther financial loss and reputational damage. Conclusion Managing these processes requires an inter- disciplinary approach, the knowledge and tools of specialized providers, legal expertise and project management skills. Organizations are well advised to build on the expertise and expe- rience of professional providers, which are ca- pable to manage and coordinate the interdisci- plinary aspects of a data breach notification.
  • 6. Publication © 2019 TALOS Management Consultants. All rights reserved. | www.talos-consultants.com6 TALOS is continuously striving to shape new standards in management consulting. As a specialized consulting boutique of Swiss origin, we are serving the European financial services industry from our local offices in Zurich and Luxembourg. Founded by experienced management consul- tants in 2008, we have grown since then to a renowned consulting company with a comple- mentary service offering across various disci- plines. With our tailored hands-on approach, we ac- company our clients in mastering the funda- mental challenges the industry is facing. We are a trusted partner for our clients helping them to increase their organizational effective- ness and operational efficiency. We strive to be recognized as one of the lead- ing management consulting boutiques for the European financial services industry. Zurich TALOS Management Consultants Bleicherweg 45 CH-8002 Zürich Tel. +41 44 380 14 40 Luxembourg TALOS Management Consultants 6, Rives de Clausen L-2165 Luxembourg Tel. +352 26 20 23 54 www.talos-consultants.com www.shapenewstandards.com Who we are Your Contact Christian is Partner at TALOS and has been working as an internal consultant for a German logistics group since 2005 and as a manage- ment consultant since 2007 (Accenture, TALOS). Christian Scholten Partner christian.scholten@talos-consultants.ch Thomas is Manager and joined TALOS in 2016. He has over 8 years of experience in the finan- cial services industry with a global career in Switzerland, USA, Spain and South Korea. Thomas brings in functional expertise and pro- ject experience in the fields of regulatory com- pliance, outsourcing, and financial manage- ment. Thomas Eustorgi Manager thomas.eustorgi@talos-consultants.ch