A detailed data mapping activity, as well as internal and external cybersecurity and reporting procedures, are best practices to handle a personal data breach under the GDPR.
I already discussed in a previous blog post of the relevance of cyber risk nowadays. Based on my personal experience the banking, financial institutions, and insurance sectors, as well as the online gambling and the telecoms sectors, are more frequently attacked. But any business can be the victim of a cyberattack, and we recently saw on the press.
According to a report by Symantec, there were more than 430 million new malware variants in 2015 with 318 total data breaches and more than 429 million identities exposed to a cyberattack. Therefore, it is certain that any company in the world will suffer sooner rather than later a cyberattack and has, therefore, cybersecurity issues. The problem is how the company will react to it and be able to minimize the potential negative consequences.
As part of the series of blog posts on the major changes introduced by the EU Data Protection Regulation (GDPR), below is both an article on the best practices to handle a “personal data breach” and a video (in Italian) of the topic as part of my video series named “Diritto al Digitale“.
What is a data breach under the GDPR?
The GDPR defines a personal data breach as
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed“
Based on the above definition, a personal data breach under the GDPR
- is only taking place when it relates to personal data and no illegal access to any data would be relevant and
- might occur not only in case of major cyberattacks that lead to the unauthorized access to personal data but also if one of our employees, agents or contractors leaves its computer or its memory stick on the train/plane and this is not encrypted or cannot be remotely locked and
- is not necessarily due to the access to personal data that is electronically stored and could happen even if for instance an HR manager leaves the door of his office open with the payslips of all the employees on his desk and they are stolen.
Also, the article 29 Working Party clarified the definition of loss of personal data as the scenario where
“the data may still exist, but the controller has lost control or access to it“
making at least an arguable example where “the only copy of a set of personal data has been encrypted by ransomware, or has been encrypted by the controller using a key that is no longer in its possession“. This means basically that under the GDPR a personal data breach might occur even if none would be able to get access to the affected personal data and therefore no loss of personal data to the benefit of someone would have taken place. This does not mean that the personal data breach notification obligation would automatically be triggered in such case, but it means that the matter shall be treated as a data breach and it should be assessed whether depending on the potential consequences a data breach notification is required.
Yet, data protection authorities argue that even a temporary loss of personal data due for instance to a power failure or a denial of service attack would fall under the definition of a data breach. Indeed, the GDPR requires to put in place measures able to ensure the ongoing confidentiality of personal data and to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. It is likely that minor temporary unavailability of personal data will not lead to a notification obligation, but it shall be assessed as a data breach.
Below is an initial list of best practices to get ready for a personal data breach under the GDPR.
1. Track data and their usage in your systems and in your suppliers’ systems
The article 29 Working Party emphasized that the GDPR requires to adopt adequate security measures and that
“a key element of any data security policy is being able, where possible, to prevent a breach and , where it nevertheless occurs, to react to it in a timely manner“.
If a company does not have a full picture at any time of
- who is processing personal data on its behalf,
- where data is stored,
- how data is processed and
is not able to identify potential misbehaviors by means for instance of data leakage technologies as well as the monitoring of log files, the prevention, identification, and reaction to a potential data breach becomes impossible.
And the matter becomes particularly tricky when it comes to IT suppliers and in particular cloud providers as well as agents and subagents. Indeed
- cloud providers have historically been reluctant from accepting any kind of obligation to use dedicated servers for the offering of their service. But the EU General Data Protection Regulation obliges data controllers to provide their audit right in the data processing agreements with processors (including cloud providers) and to exercise an actual control on them. It will be interesting to see how cloud providers will handle the matter and the risk is that the GDPR will set the end of the fully open cloud;
- agents are usually small companies which have in turn a network of sub-agents that are self-employees without any organization or IT infrastructure. It will be crucial the setting up of a “safe environment” where the data controller can
- make sure that personal data of its clients/employees are accessed only for instance through its dedicated portal and cannot be lost on devices/printed documents that are impossible to map and
- have a full understanding at any time of who is processing the personal data of its clients/employees and that any of those entities/individuals
- committed to complying with privacy laws through a data processing agreement (or a sub-data processing agreement in case of sub-processor) or the appointment as persons in charge of the data processing;
- have technical and organizational measures adequate to ensure the protection of personal data and
- have been adequately trained on obligations imposed by privacy regulations.
YOUR DATA BREACH BEST PRACTICES: Implement a data management and categorization system and oblige your major suppliers to do so.
2. Implement a procedure to get notified and notify a personal data breach
The GDPR obliges in case of occurrence of a personal data breach to
- notify it to the competent data protection authority without undue delay and, where feasible, not later than 72 hours after having become aware of it where the competent authority
- in case of cross-border data breaches, is the one of the leading authority under the one-stop-shop rule; and
- in case of companies non-established in the EU, is one of the countries where the company’s representative is based; and
- when this is likely to result in a high risk to the rights and freedoms of natural persons, communicate it to the data subject without undue delay.
The above requires, also according to the Article 29 Working Party, to put in place a procedure able to ensure that
- employees, agents, contractors and whoever processes personal data on behalf of a company are fully aware of what is a data breach, of the risks faced by the company in case of lack of notification and of what to do in case of occurrence;
- a procedure is set up in order to enable a timely internal notification of data breaches (e.g. through a dedicated email address or a hotline) for GDPR compliance purposes. And the article 29 emphasizes that the agreement between controller and processor may include requirements for early notification by the processor that in turn support the controller’s obligations to report to the supervisory authority within 72 hours;
- once the notification is received, an incident response plan is immediately activated, reporting the matter to the top management which might be a “privacy committee” made for instance of the DPO, the CISO, the managing director and the heads of the main departments of the company;
- an assessment shall be performed by the persons/committee referred above (i) of the potential risks on individuals deriving from the data breach, (ii) on whether a notification to the data protection authority or a communication to the individuals is necessary and (iii), if so, of how the notification shall be done and at the same time; and
- measures aimed at containing and recovering the data breach are adopted.
A major debate occurred during the drafting of the EU Privacy Regulation on whether the term for the notification/communication had to start from either the occurrence of the event or from its knowledge. The final version of the GDPR refers to the time when the controller becomes aware of it. And according to the article 29 Working Party, during this period of investigation on a data breach, the controller may not be regarded as being “aware” of a data breach. However, the same data protection authorities argue that
“it is expected that the initial investigation should begin as soon as possible and establish with a reasonable degree of certainty whether a breach has taken place and the possible consequences for individuals; a more detailed investigation can then follow.“
If there is a delay in getting aware of a data breach or assessing it, this circumstance itself would be evidence of the lack of adequate internal security measures under the GDPR. And in particular, the Article 29 Working Party emphasizes that data processors shall immediately notify a data breach to their data controller with the possibility to then integrate the notification on the basis of the information subsequently gathered.
Likewise, if data controllers don’t have a full picture of the data breach at the time of the notification to the data protection authority, they can mention in the notification that further information will be provided and in any case, data controllers are expected to follow up with the authority on the investigation performed. This might be a quite “tricky” obligation since data controllers definitely do not want to shed the light of the privacy regulator on their company for an event that might end up not to be relevant. Therefore, a case by case review will be necessary.
In this respect, it is important to notice that according to the article 29 Working Party
“the processor (e.g. a supplier, agent or service provider) does not need to first assess the likelihood of risk arising from a breach before notifying the controller; it is the controller that must make this assessment on becoming aware of the breach. The processor just needs to establish whether a breach has occurred and then notify the controller“.
This means that suppliers shall notify to controllers any type of data breach that took place, without running a prior assessment which will be performed by the controller together with the processor.
YOUR DATA BREACH BEST PRACTICES: set up a notification system of data breaches through a dedicated email address or similar technologies for your employees, officers, agents, and suppliers. Have a very detailed action plan and escalation procedure to react to a data breach.
3. Limit the cases when the notification of a personal data breach might be required
The notification/communication of a data breach is not always required under the GDPR. Indeed, the EU General Data Protection Regulation provides that
- The notification to the data protection authority is required unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; while
- The communication to affected individuals is not required when
- appropriate technical and organizational protection measures have been implemented and applied to the personal data affected by the data breach, in particular, those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
- subsequent measures which ensure that the high risk to the rights and freedoms of individuals is no longer likely to materialize, and
- it would involve disproportionate effort (e.g. there are millions of costumers to be notified). In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
The above means that the notification of a data breach itself might show the lack of adequate security measures by the company required by the GDPR. On the contrary, the implementation of adequate technical and organizational safeguards validated by the data protection authority or a certification entity by means of a privacy impact assessment or a certification would considerably limit the risks also in case of occurrence of a data breach. In this respect, the implementation of an internal cyber risk policy as well as the adoption of a cyber risk insurance policy would represent considerable protection.
And for instance, the Article 29 Working Party clarifies that a notification might not be necessary if it is breached the confidentiality of encrypted data, but the decryption key is preserved. However, if the back up of the affected data is taking too long an availability breach might have taken place. Furthermore, the adequacy of the level of encryption shall be continuously assessed since it might be sufficient at the time of the collection of personal data, but might end up to be inadequate later on.
YOUR DATA BREACH BEST PRACTICES: depending on the business where you operate, put in place technical cybersecurity measures so that access from third parties to the systems(e.g. running periodic penetration tests), as well as potential misbehaviors from employees(e.g. blocking USB doors, access to cloud platforms or personal email accounts), are restricted or blocked and in case of loss of devices (e.g. a personal computer) or illegal access to data, the potential harm is limited because data is for instance encrypted or can be remotely encrypted.
4. Have a detailed plan to react to a personal data breach
You should have a detailed internal policy which provides an escalation procedure in case of data breaches. At DLA Piper we developed a detailed methodology which is based on the experience of all the partners of our cybersecurity team that I will touch – but I cannot fully disclose since it is proprietary – in a future post.
If you don’t comply with these data breach best practices, here are the potential fines
The above is relevant also because the lack of compliance with data breach notification obligations triggers under the GDPR a fine up to € 10 million or 2% of the total worldwide annual turnover of an undertaking, whichever is higher. Also, according to the article 29 Working Party, this fine might be coupled with a second fine if the lack of notification of a data breach is deemed per se a lack of adequate security measures. This is at least arguable since the more specific fine should prevail over the generic fine and, under the laws of many EU Member States, it is not possible to have two fines for the same breach.
Your data breach strategy might help also the NIS Directive cybersecurity compliance program
Unlike the GDPR, the NIS Directive applies to any data, including non-personal data, and sets quite strict cybersecurity obligations. The obligations are already applicable and I covered them in this blog post “NIS Directive applicable, is your cybersecurity plan compliant?“. There is no doubt that additional activities have to be performed to comply with the NIS Directive, by the data breach compliance program briefly outlined above can definitely be a good start.
This is just a snapshot of the recommended best practices in case of a data breach under the GDPR. You can read on the same topic “Top 3 lessons learned on how to be ready to handle a data breach“.