NOTIFY – DLA Piper’s data breach assessment tool

news
21 Oct 2020
Insights

For most organisations, complying with the GDPR is challenging and only few organisations are compliant at all times. This is true of small enterprises as well as large multinational organisations, with more than 160,000 data breaches being reported to the supervisory authorities in the EU in 2019 alone.

As supervisory authorities demand greater levels of accountability for decision making, it has never been more important to apply a consistent response handling approach, based on objective and quantitative criteria. This is why we developed NOTIFY – DLA Piper’s tool for personal data breach assessments.

Data breaches: The GDPR framework

Under the General Data Protection Regulation (GDPR), organisations are required to notify personal data breaches to the supervisory authority and the wider public. The notification needs to be done within a very short time frame of 72 hours after the company has become aware of the data breach, unless the breach is unlikely to result in a “risk” to the rights and freedoms of the affected individuals. If the breach is likely to result in a “high risk”, the affected individuals themselves need to be informed as well.

The assessment whether or not to notify needs to be documented including the facts relating to the personal data breach, its effects and the remedial action taken. The potential sanctions for not notifying a risk or high risk data breach may lead to fines of up to €10 million or 2% of the global annual turnover of the company.

However, it can be quite a challenge for an organisation to determine the level of risk and appropriate response to breach reporting.

The challenges and the needs

The triggers to notify risk and high risk are not well described by the legislator, which makes it difficult for companies to assess the severity of a data breach.

As there is little guidance and typically a lot of time pressure, organisations may be tempted to rely on their simple gut feeling and ad hoc decisions, without using clear criteria and a consistent approach. Yet this subjective and inconsistent approach creates a risk for the organisation, due to the possibility of fines for non-compliance with the GDPR notification requirements. In addition, supervisory authorities demand consistency in an organisation’s approach.

Faced with these challenges, there is a need for a consistent methodology, based on objective and quantitative criteria describing what constitutes a risk and a high risk, respectively. In order to move away from the “gut feeling” there is a need for a combined quantitative and qualitative approach, with well described examples.

This is where DLA Piper’s data breach assessment tool, NOTIFY, comes into the picture.

NOTIFY – The solution

Our GDPR team knows how to determine the level of risk and appropriate response to breach reporting. As experts in the field, they have developed an assessment tool, called NOTIFY, a unique data breach assessment tool to bring consistency and accountability into breach response handling.

NOTIFY combines elements from three official sources: ENISA, the GDPR and the EDPB. DLA Piper’s NOTIFY tool is structured as an intelligent questionnaire that calculates the level of risk dynamically.

This assessment solution allows companies to assess the severity of a data breach using a methodology based on objective criteria sourced from official sources.

NOTIFY provides:

  • Quantitive approach: instead of basing the assessment on ad hoc decision making and gut feeling, the tool uses a quantitative approach measuring the risk of a data breach based on an algorithm
     
  • Objective approach: the criteria used for building the algorithm and measuring the severity are all drawn from official sources such as the GDPR, European Network Information Security Agency and the European Data Protection Board.
     
  • Consistent approach: obliging the company to go through a list of questions and having the tool assess the severity based on an algorithm allows for a consistent approach, independent of the person using the tool.
     
  • Dramatic time savings: Using the tool brings back the severity assessment of a data breach from many hours of conversations and assessments to under one hour.
     
  • Automated report creation: The tool automatically creates a report that can be used for documentation purposes in line with the GDPR.

Using NOTIFY makes it easy and fast to assess the severity of a data breach. It allows you to carry out your assessments of personal data breaches in a consistent and objective manner. NOTIFY also generates a report summarizing the outcome of the assessment, resulting in easier communication.

In addition, it helps organisations document the reasoning behind their decision, fully in line with the principle of accountability.

Clients can choose to use the tool themselves or to have DLA Piper carry out the relevant assessment, in which case the outcome is protected by legal privilege.

Read more about NOTIFY in the brochure below and please feel free to contact us, if you want to know more.