Hacks, ransomware, theft of credit card details, phishing mails… data breaches are taking a prominent position in daily headlines. Company reputations are destroyed as a result of not effectively handling data breaches. As per next year companies have mandatory breach notification obligations towards regulators, individuals or other companies they provide services to. These notification obligations create new spotlights on how well companies are able to handle data breaches. To help you getting started, this article is to provide you with a pragmatic GDPR data breach response guide
Security plays a prominent role in the European Union's new General Data Protection Regulation (GDPR). Transparency, allowing individuals to exercise their rights, appropriate mechanisms for international data transfers have little value to individuals if their data is not secure. Lack of consumer confidence has been identified as a key risk for the development of the digital single market, and a series of high profile data breaches has exacerbated the situation. The GDPR has therefore made data security a crucial piece of the puzzle.
Security obligations apply to both, controllers and processors. This is sensible in today's world where service providers may have great influence on the security measures taken and already have complex sub-contracting arrangements in place which they may find impractical or undesirable to seek to amend. With rules applying directly to both controllers and processors that offer goods or services in the European Union, any company processing personal data should have an idea of the security obligations applicable to it.
Both controllers and processors are obliged to ''implement appropriate technical and organisational measures'' taking into account ''the state of the art and the costs of implementation'' and ''the nature, scope, context, and purpose of the processing as well as the risk or varying likelihood and severity for the rights and freedoms of natural persons.'' This may be challenging for certain types of processors as not all processors have any visibility of the data which they process, such as hosting providers. As these processors will be unable to assess the nature of the risk, they may have to place obligations on their customers to asses, at a minimum, the level of security they require.
Moreover, the GDPR requires controllers to only engage processors that provide ''sufficient guarantees to implement appropriate technical and organisation measures'' in order to meet the GDPR's requirements and protect data subjects' rights.
The GDPR provides specific suggestions for what kinds of security actions might be considered ''appropriate to the risk''. These suggestions include:
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, such as a data breach;
- the pseudonymisation and encryption of personal data (which could result in an exemption to notify data breaches, see below);
- a process for regular testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The above shows that "security" is not just about external threats, but also cover business continuity issues.
Controllers and processors that adhere to either an approved code of conduct or certification mechanism may use these tools to demonstrate compliance with the GDPR's security standards.
The GDPR includes specific breach notification guidelines. Under the GDPR so-called ''personal data breaches'' should be notified to supervisory authorities and in some cases also to the affected individuals. In the event of processors, these should notify the controller.
A ''personal data breach'' is defined as ''a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.''
In the event of a personal data breach, controllers must notify the competent supervisory authority. This is likely to be the supervisory authority in the country where the controller is established. Notice to supervisory authorities must be provided ''without undue delay and, where feasible, not later than 72 hours after having become aware of it.'' If notification is not made within 72 hours, the controller must provide a ''reasoned justification'' for the delay when notifying the personal data breach. Notice to affected individuals should be done ''without undue delay''. Processors should notify the controller "without undue delay after becoming aware of a personal data breach".
Notice by the controller to the competent supervisory authority is not required if ''the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons'' which leaves room for discussion to argue that in certain cases no notification obligations apply. We will need to wait for guidance on how the data protection authorities intent to interpret this threshold.
Breaches will always come as a surprise and the scope and nature of the data breach will even be more surprising. You will not be able to prepare for everything, but reasonable preparations could prevent a personal data breach ending in a company catastrophe. Preparations can however only start once you have a clear and complete picture of your company's data flows. It is therefore crucial to assess the data flows within your company and the relative sensitivity of the different data sets processed.
With a picture of the data flows and implemented security measures in mind, it can be assessed where your company is most vulnerable. Please consider that your most valuable and best secured assets could be your weakest link when it comes to personal data breaches. For instance, when your data is processed by vendors. In this respect, we recommend reviewing all vendor agreements on security obligations and data breach notification requirements. It is recommended contractually obliging your service providers to notify you of any security incident as soon as possible, but ultimately within 48 hours, after becoming aware of the incident to allow your company to meet the requirements.
For completeness, the 72-hour deadline starts at the moment the processor became aware of the breach, not at the moment the processor notified the breach to the controller.
Furthermore, it is also recommended implementing an internal security incident response plan and to train employees on data confidentiality, data security and on notification and handling of security incidents. You should make sure that employees understand what constitutes a personal data breach, and that this is more than a loss of personal data. Also, your employees should know who to contact in the event of a personal data breach.
In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the affected individuals.
Many organisations already have data breach handling processes in place, but it is likely that these will need review to ensure they meet the new requirements of the GDPR. Where companies are already considering how to manage their cybersecurity risk more generally, it may be advisable to combine the two workstreams to avoid confusing overlapping of processes and to ensure robust procedures are implemented.
When a security incident happens, our practical recommendation is to take the following steps:
Step 1: Investigate the Incident
Is the Incident a Personal Data Breach?
A personal data breach may involve loss of personal data or the unlawful accessing or processing of personal data. Only if an incident actually resulted in a breach of personal data the mandatory notification obligation applies. For instance, lost USB sticks, stolen laptops, malware infections or hacked databases containing personal data are considered personal data breaches.
A threat or a shortcoming in security measures, such as weak passwords or outdated firewalls, are not considered a personal data breach as long as no personal data has been leaked. Therefore, these issues in security measures do not fall within the mandatory notification obligation.
Step 2: Investigate the Scope, Nature and Possible Consequences
For this investigation the answers to the following questions can be relevant:
- What is the source of the personal data breach? For instance, is it a stolen device or is it an internal security measure which has been hacked?
- How many individuals are affected by the personal data breach and is the data breach likely to result in a risk to the rights and freedoms of the individuals affected? For instance, a hack of a customer database could most likely have a severe impact on private lives of many people. On the other hand, a breach concerning only business contact details of one customer may have minimal impact only.
- Does the personal data compromised include sensitive data? For instance, credit card details, passport numbers or health data.
- Was the compromised personal data encrypted or secured in a manner which makes it impossible for a third party to assess? For instance, if adequate encryption is used or the data is adequately hashed and salted it can be assumed that third parties will not be able to access the personal data.
- Which steps are taken to mitigate (further) loss of personal data? For instance, if it is possible to wipe all personal data remotely so that loss of personal data can be prevented or if access to hacked database could be regained, it is possible to mitigate further loss.
- Which parties are involved in the data breach? For instance, if a shared database is hacked, it cannot be excluded that several parties will be involved and/or affected by the data breach.
Step 3: Investigate Notification Obligation to Supervise Authority
The supervisory authority should be notified by the controller of any personal data breach that results in or is likely to result in ''a risk to the rights and freedoms of natural persons.'' This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of an internal telephone list, for example, would not normally meet this threshold.
In this respect it is relevant to know the answers to the above questions and have an idea of the reasonable consequences the breach may have (for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage). If not yet all information is available, the controller should still notify the supervisory authority. If needed, the notification may be amended at a later stage when the full details are known or the notification could be withdrawn if not needed after all.
If notification to the supervisory authority is required
Where a notification with the supervisory authority is required, it is recommended first checking if the supervisory authority uses a standard breach notification form. If such form is not available, the notification include at least the following information:
• the scope and nature of the personal data breach, including the categories and number of data subjects and data records concerned;
- the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
• a description of the likely consequences of the personal data breach;
• a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate any possible adverse effects.
Step 4: Investigate Notification Obligation Individuals
Where a personal data breach is likely to result in a ''high risk'' to the rights and freedoms of individuals, you must notify those concerned directly. A ''high risk'' means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.
If affected individuals must be informed, you should provide at least the following information in clear and plain language:
• the scope and nature of the personal data breach;
• the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
• a description of the likely consequences of the personal data breach;
• a description of the measures taken or proposed to taken to address the breach including measures to mitigate any possible adverse effects (e.g. contact your credit card provider, change your password, etc.).
Notification to individuals shall not be necessary if the controller can demonstrate that ''appropriate technological protection measures'' were applied to the data concerned by the personal data breach, which ''shall render the data unintelligible to any person who is not authorised to access it.', such as encryption, or if it has subsequently taken measures which ensure that the high risk for the rights and freedoms of data subjects is longer likely to materialise.
If individual notifications would be a disproportionate effort, the controller can use some form of public communication instead provided that this will be equally effective in informing individuals.
Supervisory authorities have the power to overrule controllers and order them to notify the affected individuals if they disagree with a controller's assessment of the risk.
Step 5: Create and Maintain an Internal Breach Register
Controllers are obliged to document any personal data breaches, which shall at least include information on the facts relating to the personal data breach, the effects of the breach and the efforts and remedial actions taken. It is recommended also documenting any communication with supervisory authorities and affected individuals. Moreover, in the event a decision was made not to notify supervisory authorities and/or affected individuals, it is recommended to keep a record of the facts and the reasons why such decision was made as a supervisory authority may initiate an audit or request for information at any time.
For processors it is recommended keeping an internal breach register, amongst other to demonstrate to (potential) customers the effectiveness of the implemented security measures or the maturity when it comes to handling data breaches.
Step 6: Evaluate the Personal Data Breach and Update Technology and Policies
The new principle of accountability requires controllers to be responsible for and to be able to ''demonstrate'' and ''evidence'' compliance with the data protection principles, which include security obligations. In view of the accountability requirement, it is recommended documenting what your organisation has done to prevent future personal data breaches originating from the same source as well as regularly reviewing and updating your breach detection, investigation and internal reporting procedures. Moreover, it is recommended regularly reviewing and updating your security measures to and the training provided to employees on data security and handling of personal data breaches.
We hope that this guide helps you to prepare for and deal with data breaches in a GDPR compliant manner. However, if you get the call and want to discuss, please reach out and we will guide you through, making sure that your company will not be a trending topic for the wrong reasons.