Organisational safety measures
Business Continuity Plan as an organisational safety measure
It may be useful to establish a Business Continuity Plan as an organisational security measure, to ensure that the company can function even in the event of a crisis, internally or externally.
Benefits of a Business Continuity Plan as an organisational safety measure
- Reduces the risk of long-term business interruptions, which can be a major economic advantage in the event of an advantage.
- Creates security for both the employees of the company and the data subjects.
- Helps the company comply with legal requirements.
- Can reduce any consequences that arise in the event of a cyber attack, serious disruption or any other type of crisis.
What is a Business Continuity Plan (BCP)?
A Business Continuity Plan is a plan for how a company should act in the event of an unexpected crisis. The aim is that the crisis should not lead to the company not being able to continue working in its operations. The same applies to major crises. Establishing a Business Continuity Plan is a good organizational security measure that companies can take to comply with the rules of the GDPR and reduce the consequences in the event of a crisis.
Issues to be included in a Business Continuity Plan
- What should employees do if IT systems are no longer available?
- Can employees continue to work even though it is not possible to use the office?
- Who is responsible for what in the event of a crisis?
- What are the most important processes for the company to continue its work?
- How are employees and other appropriate external parties informed about the crisis?
- How should employees continue to process personal data correctly during an ongoing crisis?
How a Business Continuity Plan can help businesses comply with the GDPR
Business Continuity Plan as an organizational security measure can help companies to comply with several key obligations under the GDPR. As well as to demonstrate that the company complies with the regulatory framework under the principle of accountability in Article 5(2) of the GDPR. Among other things, the GDPR requires that personal data is available and recoverable in the event of a personal data breach. Article 32 GDPR deals with the security of processing as well as the ability to ensure ongoing integrity, confidentiality, availability and resilience. A Business Continuity Plan helps ensure that the company has backups that can be restored within a reasonable period of time.
In addition, the Business Continuity Plan should identify critical processes and vulnerabilities, as well as preventive measures to reduce the risks of accidental erasure, unauthorised access or data loss. It can thus complement risk analyses and Data Protection Impact Assessments (DPIA) (Article 35 GDPR). Furthermore, a good Business Continuity Plan ensures that data subjects’ rights under Articles 12-22 of the GDPR can be met even during a crisis.
Steps that companies should implement and document in a Business Continuity Plan
Identifying critical processes
In order to establish an effective Business Continuity Plan, it is important to first identify various critical processes and personal data processing that are necessary for the company. For example, critical IT systems, financial systems, HR processes, which tools the company uses for communication, payment methods, etc. Among other things, the company needs to map out the necessary systems, the processes that need to work in order to continue operations, the resources that the company needs for the execution of the work, personal data that is critical to process, etc. It is also good to map out approximately how long the company's operations can be completely or partially out of operation, before there are serious consequences.
Risks
After the company has identified the necessary processes and the like, the company should analyse the risks and how the Business Continuity Plan should prevent or minimise them.
Technical incidents
For example, a system crash, network outage or backup files that have stopped working.
Organisational incidents
For example, when important people in the company stop working for the company, suppliers do not deliver according to contract, unusually large staff shortages due to the spread of disease or the like.
Cyberattacks
For example, if hackers intrude into the company's database, require ransomware or the like.
Physical incidents
For example, in the event of a fire, flooding, power outage or similar in the office
Roles and responsibilities
In order to manage a crisis as effectively as possible, it is good to have clear roles and responsibilities that are predetermined and allocated in advance. If this is missing, it carries a high risk of becoming chaotic in the event of a crisis. Examples of what the company should define in a business continuity plan:
Leader of the crisis.
Responsible for IT.
Who should document the course of events, measures taken, etc.
Who manages the contact with external parties, such as data subjects and relevant authorities.
The person who will contact and handle communication with any personal data processors, suppliers, etc.
Communication plan
Good and clear communication is extremely important within a company, especially during an ongoing crisis. Therefore, it is good to have a clear plan for internal communication if necessary. For example, it can regulate how all employees are to be informed about the incident, how data subjects are to be informed if their personal data has been affected by the incident, if and when the company is to report to the national data protection authority, what alternative communication channels the company can use if the regular cannot be used, etc.
Alternative ways of working
In order to continue the work during an ongoing crisis, the company needs to have alternative ways of working. It is often a matter of working manually or with emergency solutions. For example, the Business Continuity Plan should include answers to the following questions.
How do employees get access to the necessary documents they need to perform their duties?
Can the storage of personal data take place without compromising security?
May will customer cases be handled if the company's IT system does not work?
How can the company handle invoicing, payroll, work orders and other financially critical parts of a company during the crisis?
Return
The faster a company returns to normal after a crisis, the better. It is therefore good to define how it should be done, and often it happens in stages. For example, by:
Restart the different systems.
Transfer the manual work back to the digital systems.
Analyze what damage occurred? For example, personal data breaches. Remember to report personal data breaches to the data subjects and/or appropriate authorities if required.
It is also good to document the entire process in order to demonstrate compliance with GDPR and be able to improve it in the face of a new possible crisis.
Test and update
It is important to test the Business Continuity Plan to know if it works or not, before a real crisis arises. For example, companies should test simulated outages and work according to the Business Continuity Plan and a disaster recovery plan to see if it works in practice.
Learn more
A Disaster Recovery Plan complements a Business Continuity Plan
Simply put, a Disaster Recovery Plan acts as the technical part of the company’s Business Continuity Plan. It is good for companies to draw up both these documents. A Business Continuity Plan describes how the company should act in a crisis, while a Disaster Recovery Plan describes how employees should restore the IT infrastructure and the processing of personal data after a disaster or crisis. A Disaster Recovery Plan is usually more detailed than a Business Continuity Plan.