Interviews

GDPR breach law

by Mark Rowe

Deema Freij, pictured, global privacy officer at the data security product company Intralinks, sets out considerations that organisations need to be aware of around the 72-hour breach notification provision in the EU General Data Protection Regulation.

Aside from the scale of the maximum penalties for breaching the regulation, one of the more eye-catching provisions in the EU General Data Protection Regulation (GDPR) is the mandatory 72-hour breach reporting rule.

Keen students of the GDPR will know that we are of course talking about article 33, which states that “in the case of a personal data breach, data controllers shall without undue delay” notify the appropriate regulator of the breach. Article 33 goes on to state that where it is feasible, this notification should take place no later than 72 hours after the breached party has become aware of the incident.

Anyone with any legal training will see that this wording poses a few questions. Seemingly, “undue delay” is likely to be any time after the 72 hour window has passed, though this may be different for data controllers versus data processors. But, what would constitute an “undue delay”? What if a party has been breached and had personal data stolen, but remains unaware of this fact through lack of care? Under what circumstances would it be deemed not “feasible” to report a breach? On these points the regulation is deliberately vague to allow for a broad range of possible eventualities.

There is plenty of analysis out there already for anyone interested in reading up on what this wording may mean and how it might be interpreted. I don’t propose to get into that here for reasons of space, and also because much of it is likely only to be crystallised when courts and regulators are asked to apply the regulation.

For now, it is more useful to concentrate on what this mandatory notification timeline means for organisations. Anecdotally, it’s surprising how many organisations don’t have defined processes in place for a plan of action if they suspect they have been breached. Particularly in the heightened atmosphere of a data breach, it’s very easy to come unstuck on relatively mundane and simple points of process: who should be notified internally? How do we contact the regulator? And at what stage do we notify? What do we tell our customers? Who’s going to handle that? Is anyone looking into the breach itself and making sure any leak isn’t ongoing?

Although the GDPR won’t help you answer those questions, it is clear on your responsibilities as a business in the event of a breach. Organisations must notify the national data protection regulator and must also notify everyone who has been affected by the breach, where the “data breach is likely to result in a high risk to the(ir) rights and freedoms”. For example, any customers whose data has been compromised. But even then, you might not know who’s been affected in the early stages.

Uncertainty over who has been affected can lead to “over-reporting”, which in turn can lead to citizens becoming immune to data breach notifications if they receive too many. The result is that they become impervious to notices and do not take the recommended action to mitigate any potential harm.

Finding out what the breach is, who has been affected, how wide it is and how it happened all within 72 hours is not easy – especially when companies want to be remediating damage caused by the breach in this time. This is where having thorough processes shows its value, because all of this information will need to be relayed to the regulator. From the point of initial breach detection, the CISO needs to be all over the incident. Smaller companies are likely to outsource elements of their response.

There are some exceptions contained in Article 34 which summarise scenarios where the data subject does not have to be notified in the event of a breach. One such situation is where the data controller has “implemented appropriate technical and organisational protection measures in respect of the personal data affected by the breach,” and an obvious example would be a breach involving data that has been encrypted by the controller. Article 34 does not provide detail on whether different standards of encryption would be treated differently, but it is clear from the regulation that encrypting data in-transit and at-rest remains a sensible precaution for those organisations looking to comply with the GDPR.

It is also unclear for now what approach different regulators in Europe will take towards enforcing penalties. Some regulators lean more towards cooperation and training rather than strict enforcement of penalties, but others are stricter. Some commentators suggest regulators will seek to levy a huge fine to make an example of an organisation and encourage others to fall into line. Ultimately, making the cost of failing to comply considerably more expensive than the cost of ensuring compliance is usually considered to be an effective way to boost the numbers of organisations taking the proper steps to safeguard citizens’ data.

Although there are still around 18 months before the GDPR comes into force on May 25, 2018, organisations need to act now to stand any chance of achieving compliance. The 72-hour mandatory notification window is likely to pose very significant challenges to many companies and as such requires careful planning ahead of time to give the best possible chance of compliance with this provision.

Of course, the best way to achieve this aim is to avoid data being breached in the first place, which requires a holistic data privacy regime to be in place. As ever with incoming regulations, it remains to be seen how the law will be interpreted, but we can be sure that implementing a holistic data privacy regime and taking sensible precautions such as encrypting data will greatly improve an organisation’s chances of achieving compliance.

Related News

  • Interviews

    An interview with Bill

    by Mark Rowe

    Bill is accused by his superviser of stealing a crate from the company. There’s some CCTV evidence to support that; someone looking…

  • Interviews

    Cyber-Monday views

    by Mark Rowe

    After Black Friday – the date before Christmas when shoppers take to the internet to do their present shopping online – come…

  • Interviews

    Tax fakery

    by Mark Rowe

    Human nature leaves data vulnerable to hackers. Don’t make it easy for the cyber-criminals, writes Keiron Shepherd, pictured. Senior Security Specialist at…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing