What to expect in a post-GDPR deadline world?

For those IT and security professionals who have been scrambling for the past year to bring their organizations into compliance with the European Union’s General Data Protection Regulation (GDPR), the May 25, 2018, deadline looms large on the horizon. That is the date by which organizations that do business with, or store personal information about residents of the EU, must comply with the regulation’s requirements.

The GDPR, which replaced the Data Protection Directive, became law in 2016, but it allowed for a grace period to give companies time to implement the measures that it prescribed for protecting the privacy of the personal information of individuals.

Organizations that must comply with the GDPR (which extends to many that are outside of the EU) have naturally been focused heavily on the data portability and data security aspects of the law, along with the required recordkeeping and the access rights of data subjects (those individual EU residents whose data is collected, stored, processed, or transferred).

Security of processing is the subject of Article 32 of the GDPR. The objective of these requirements, which include protection of personal data via encryption and pseudonymization as part of “appropriate technical and organizational measures to ensure a level of security appropriate to the risk,” is to avoid the exposure of subjects’ personal data. If those measures work perfectly, organizations won’t have to worry about what happens in the event of a data breach that impacts personal data that falls under the GDPR.

Of course, we all know that in life in general and IT in particular, things tend not always to work perfectly. Thus, it’s important that organizations also pay close attention to Articles 33 and 34, which address what you’re required to do if and when a personal data breach does occur. That’s what we’re going to be looking at in this article.

Notification of a personal data breach

Many organizations in the U.S. are already familiar with the necessity of notifying individuals whose personal information is or might have been affected by a security breach. As of February 6, 2018, forty-eight of the fifty states had enacted legislation mandating that such impacted individuals be notified, usually within a specified period of time.

The number of data breaches in the U.S. has generally been increasing over the last several years, and just two months into 2018, we have already seen a number of significant breaches hit the headlines, although many of them relate to an exposure that has been ongoing for months. Coming off the Equifax data breach that affected millions last year, we got off to a not-so-great start this year with the announcement of the Spectre and Meltdown processor vulnerabilities that had the potential for exploits that could expose the data of anyone who used any recently made popular device.

Statistics aside, the leakage or theft of personal data can create a financial and administrative nightmare for an individual, and it may not happen immediately; victims of data breaches must live with the threat of identity theft and other harm for months or even years.  Thus it is imperative that they are made aware as soon as possible to take measures to mitigate the risk. This is the reason for data breach notification laws.

GDPR notification requirements

Under Articles 33 and 34, when a data breach occurs, the data controller (defined in Article 4 as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”) is required to make two specific notifications:

  • To the supervisory authority, and
  • To the data subject

Notification to the supervisory authority

The supervisory authority is an independent public authority that is responsible for monitoring the application of the GDPR. Each of the EU member states is required to provide for one or more supervisory authority. The supervisory authorities are charged with the duty of protecting the fundamental rights and freedoms of individuals in relation to the processing of their personal data.

The GDPR emphasizes the independence of the supervisory authorities and mandates that they remain free from external influence. The EU states are required to provide the supervisory authorities with the appropriate resources and budget to carry out their duties. Article 53 lays out the general conditions for the appointment of supervisory authorities and their qualifications.

The notification to the supervisory authority is to be made “without undue delay.” The GDPR more specifically states that “where feasible,” this should be done within 72 hours of discovery of the breach. There is an exception noted: if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.  Recital 85 expands further on this exception, making it clear that the controller must be able to demonstrate, in accordance with the accountability principle, that the risk is unlikely.

Article 33 also sets out minimum requirements as to what must be included in the notification. This includes:

  • The nature of the breach
  • Categories and numbers (approximate) of data subjects affected
  • Approximate number of personal records affected
  • Contact information for further investigation
  • Likely consequences of the breach
  • Measures taken or proposed for addressing the breach and mitigating the impact

The controller is required to document facts relating to the breach for use by the supervisory authority in determining compliance.

Notification to the data subject

Article 34 requires that the controller also notify all data subjects if the breach is likely to result in a high risk to the rights and freedoms of the affected individuals. However, this section does not get as specific regarding the time frame. The content is also less extensive; this notification does not require that the categories and numbers of affected data subjects or number of personal records be included.

There are also three specific conditions that negate the requirement for notification to the data subject:

  • If the data that was exposed by the breach was encrypted so that it would be unintelligible to unauthorized persons,
  • If measures have been taken to make it unlikely that there will be a high risk to the rights and freedoms of the data subjects, or
  • If notification to data subjects would involve “disproportionate effort.” In this case, the controller can, instead of individually notifying the data subjects, use a public communication to inform those who are affected.

The supervisory authority can require the controller to notify the data subjects if this has not been done. Recital 86 further notes that the notification to the data subject should contain recommendations as to what the data subject can do to mitigate potential adverse effects of the breach.

Organizations should describe solutions and help affected data subjects to implement them. Some organizations will choose to take such steps as offering personal credit monitoring or similar services, to be paid for by the organization, for a specified period of time.

Remember that failure to comply with the GDPR can result in an administrative fine up to €20,000,000 or 4% of worldwide annual turnover, so these requirements are not to be taken lightly.

Beyond GDPR: managing public perception

Non-compliance can have consequences beyond the penalties imposed by the EU; a data breach – especially if shown to be a result of failure to meet security requirements – can be an organization’s public relations nightmare. Your public response to a breach can determine the extent of harm to the company’s reputation and business.

It’s important to publicly accept responsibility and be as transparent as possible; be forthcoming about why the breach occurred and about what is being done to prevent a recurrence in the future. Educate data subjects as to their rights in the wake of the breach and provide mitigations. All of this will help mitigate the damage and regain public trust. Showing that you’re doing all you can to protect personal data in the aftermath may also demonstrate to the GDPR supervisory authority that you are sincere and may be taken into consideration in determining any penalties that are assessed.

It is a good idea to engage legal counsel and possibly outside security professionals to review your notification plan. They can help you with the wording of the communications, press releases, and documentation, and help you take the necessary steps to identify vulnerabilities (both in terms of liability and in technical aspects) and protect against them.

Click here to see how our solutions can aide with GDPR or download our FREE whitepaper.