AIESEC was established in 1948 by 7 people in 7 countries. The goal, to change to world with one internship at a time. Since the founding over 1 000 000 young people have directly benefited from the vision of the 7 founders. To survive such a long time and to affect some many people you need people that believe in the organization. Now – AIESEC is a global network of people that simply believe that youth leadership is not an option, but our responsibility.
Young adults in search for professional experience had their data exposed, accessible to the public. You would all know what is on a CV, your full name, your date of birth, your nationality, a timeline of your education, an email address and possibly a photo of you and a phone number. It’s safe to say that it’s rather personal.
When you are the Data Protection Officer (DPO) of an organisation that is a bank of human resources, alarm bells might very well explode in your head. This is where a cool head is required, not only a cool head but proper prior preparation, not only proper prior preparation but people that are dedicated to your organisation.
An example of this is the AIESEC DPO, who acted so fast only 40 people out of millions were affected. They also sacrificed their weekend to achieve this feat.
So how did the DPO prevent a molehill from growing into a mountain? We turn to the timeline:
Friday 11th to Sunday 12th of January 2019.
– Ukraine – Bob Diachenko notifies AIESEC of the breach.
– Canada – The AIESEC DPO is notified of the data breach. They followed the protocol from their Data Impact Assessment.
– Step 1 – secure the server.
– India – As the AIESEC IT infrastructure is based in India, coordination was required between the DPO in Canada and the CEO of their external IT infrastructure vendor.
The goal was to secure the server, make sure that only 40 people were affected, check that all other systems were secure.
(side note – the time difference between Montreal and Chennai is 10hrs 30min.)
Step 2 – Notify the Dutch Data Protection Authority
– Due to a prior company-wide GDPR assessment, proper structures were in place that the DPO could and did follow.
What does one report when reporting a Data Breach?
o The nature of the data breach i.e. what sort of personal data was affected
o The name and contact details of the DPO
o The likely consequences of the data breach
o Future measures to prevent the same event happening
– All the people affect were notified – 40 in this case (where they are located cannot be disclosed)
– Consult with the organization lawyers to see if there are any other actions required.
In the days following the successful management of the data breach all the stakeholders were notified.
The result, a molehill remained a molehill.
What can one draw from the events describe above? Well for one, you need people that are prepared. This means policies have to be in place so people have a guide on what to do in a worst case scenario.
You need people that take responsibility, starting from Bob Diachenko (an ethical hacker), who cares and employees and volunteers at an organization that are dedicated to the cause.
At the time of the writing none of the affected people had responded to AIESEC. The Dutch DPO also had not responded but they do not need to (the Dutch DPA received 15 400 data breach notifications in 8 months).
The point of Article 33 of the GDPR (Notification of a personal data breach…) is to make sure that companies actually notify an authority. In pre-GDPR times, data breach notifications would have gone unnoticed and unreported. Article 33 is the reason why DLA Piper could release their survey on the 59 000 reported data breaches from May 25th 2018 to January 31st 2019.
The GDPR and similar data laws have arrived on our shores to ensure that personal data is handled in an ethical manner. The work of people like Bob Diachenko, the DPO at AIESEC, their IT Vendor in Chennai and all the others involved, is a good example of how to behave when there is a data breach. The reason why I am writing this article (in Austria) is because I believe that is important to share this experience, so that we learn from it. The GDPR and its friends might seem like a hassle, but its not about the admin that comes with being compliant. It is about respecting personal privacy and taking the responsibility, to uphold a person’s right, to privacy.