What does it mean to have a data breach in the context of the General Data Protection Regulation (GDPR)?
Most of us think of a data breach as the actual loss or exposure of information to an unauthorized or unintended user. When it comes to the impending EU regulation, however, it is more accurate to define a data breach as a violation of the legislation (act or section) that was put in place to prevent the loss, or unlawful disclosure of data in the first place.
So, this being the case, it’s prudent to really look at the legislation that applies to your organization to make sure you don’t commit offenses and end up putting your organization’s reputation and financial standing at risk.
Data Breaches in the GDPR
Interestingly, the requirements of “notification’ of a data ‘breach” within the GDPR vary depending on the type and severity of the breach. So, I took a little look into what the regulations actually prescribe:
Article 31 of the GDPR mandates that, in the case of a data breach data officers shall, without undue delay (not later than 72 hours after having become aware of it), notify the supervisory authority of the incident unless the personal data breach is “unlikely to result in a risk for the rights and freedoms of individuals.”
It seems to me that this is a little subjective. What might appear to be a risk to the rights and freedoms of individuals by one, may differ from another. So, it appears that the default position is:
“If there is any doubt, there is no doubt, report it.”
This ensures that the Information Commissioner’s Office (ICO) is informed and provides some peace of mind to most organizations that they at least will not be penalized for a double breach. That is, being the initial unlawful disclosure of data, preceded by the compounding offence of failing to comply with the notification requirements of the act.
It seems reasonable to presume that a breach that discloses an individual’s health or financial information may be likely to have a significantly higher risk to the rights and freedoms of a data subject than a breach that leads to disclosure of customer names with no further information about the individuals. It is also fair to say, data breaches happen all the time, whether it be a disgruntled employee copying an entire database of customers, or a corrupt civil servant accessing sensitive personal data on an unsecured file server for personal gain.
I believe that these possibilities have been accepted by the legislators, and the GDPR has now been introduced to enforce a structure to organizations that were simply negligent around the handling of sensitive personal data. This new legislation focuses attention to data handling processes and indicates that evidence of proper data handling and response procedures will be taken into consideration by the ICO when determining sanctions.
What Should You Do in the Event of a Data Breach for GDPR?
You need to make sure you can answer the following questions:
- Can you prove that the personal data was encrypted at the time of the breach?
- Following a breach, can you ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services?
- Are you able to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident?
Finally, and crucially, you should always know the answer to this question: Is there a process in place for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of data?