Top 10+ EU Privacy Regulation issues – #11 Are you able to handle a data breach?
A detailed data mapping activity and internal cyber risk procedures are necessary to handle a potential data breach at the time of the EU Privacy Regulation.
I already discussed in a previous blog post of the relevance of cyber risk nowadays. According to a report by Symantec, there were more than 430 million new malware variants in 2015 with 318 total data breaches and more than 429 million identities exposed to cyberattacks. Therefore it is certain that any company in the world will suffer sooner rather than later a cyberattack. The issue is how the company will react to it and be able to minimise the potential negative consequences.
As part of the series of blog posts on the major changes introduced by the EU Data Protection Regulation (GDPR), here is an article on how to handle a “data breach“. You can review the other posts of this series below
What is a data breach?
The GDPR defines a personal data breach as
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed“
Based on the above definition, a data breach would occur not only in case of major cyber attacks that lead to the unauthorised access to personal data, but also if one of our employees, agents or contractors leaves its computer or its memory stick on the train/plane and this is not encrypted or cannot be remotely locked. But a data breach is not necessarily due to the access to personal data that is electronically stored and could happen even if for instance an HR manager leaves the door of his office open with the payslips of all the employees on his desk and they are stolen.
Are you able to map data processed on behalf of your company?
If a company does not have a full picture at any time of who is processing personal data on its behalf, on where data is stored and how data is processed, the handling of a potential data breach becomes impossible. And the matter becomes particularly tricky when in comes to IT suppliers and in particular cloud providers as well as agents and subagents. Indeed
- Cloud providers have historically been reluctant from accepting any kind of obligation to use dedicated servers for the offering of their service. But the EU General Data Protection Regulation obliges data controllers to provide their audit right in the data processing agreements with processors (including cloud providers) and to exercise an actual control on them. It will be interesting to see how cloud providers will handle the matter and the risk is that the GDPR will set the end of the fully open cloud;
- Agents are usually small companies which have in turn a network of sub-agents that are self-employees without any organisation or IT infrastructure. It will be crucial the setting up of a “safe environment” where the data controller can
- make sure that personal data of its clients/employees are accessed only for instance through its dedicated portal and cannot be lost on devices/printed documents that are impossible to map and
- have a full understanding at any time of who is processing the personal data of its clients/employees and that any of those entities/individuals
- committed to comply with privacy laws through a data processing agreement (or a sub-data processing agreement in case of sub-processor) or the appointment as persons in charge of the data processing;
- have technical and organisational measures adequate to ensure the protection of personal data and
- have been adequately trained on obligations imposed by privacy regulations.
Are you able to get notified and notify a data breach?
The EU Privacy Regulation obliges in case of occurrence of a data breach to
- notify it to the competent data protection authority without undue delay and, where feasible, not later than 72 hours after having become aware of it; and
- when this is likely to result in a high risk to the rights and freedoms of natural persons, communicate it to the data subject without undue delay.
The above requires to put in place a procedure able to ensure that
- employees, agents, contractors and whoever processes personal data on behalf of a company are fully aware of what is a data breach, of the risks faced by the company in case of lack of notification and of what to do in case of occurrence and
- a timely internal notification of data breaches e.g. through a dedicated email address or hotline is possible and
- an assessment on whether a notification to the data protection authority or a communication to the individuals is necessary and, if so, how to do it can be timely performed.
A major debate occurred during the drafting of the EU Privacy Regulation on whether the term for the notification/communication had to start from either the occurrence of the event or from its knowledge. The final version of the regulation refers to the time when the controller becomes aware of it. However, if there is a delay in getting aware of a data breach, this circumstance itself would be evidence of the lack of adequate internal security measures.
Are you able to avoid the notification of a data breach?
The notification/communication of a data breach is not always required. Indeed, the GDPR provides that
- The notification to the data protection authority is required, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; while
- The communication to individuals is not required when
- appropriate technical and organisational protection measures have been implemented and applied to the personal data affected by the data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- subsequent measures which ensure that the high risk to the rights and freedoms of individuals is no longer likely to materialise; and
- it would involve disproportionate effort (e.g. there are millions of costumers to be notified). In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
The above means that the notification of a data breach itself might show the lack of adequate security measures by the company. On the contrary, the implementation of adequate technical and organisational safeguards validated by the data protection authority or a certification entity by means of a privacy impact assessment or a certification would considerably limit the risks also in case of occurrence of a data breach.
In this respect, the implementation of an internal cyber risk policy as well as the adoption of a cyber risk insurance policy would represent a considerable protection.
This is just a snapshot of what has to be done in case of data breaches. But if you found this article interesting, please share it on your favourite social media!
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at firstname.lastname@example.org or email@example.com or via phone at +39 334 688 1147.