News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Comparing EU regulatory norms with incident reporting obligations Related reading: EDPB adopts 'Schrems II' statement, PSD2 guidelines, MEP questions

rss_feed

""

""

As data breaches and other security incidents are the dominating cause of regulatory fines in areas like security and data protection, prevention and proper management are becoming a priority for many organizations. Proper technical and security measures are essential in preventing security incidents. Nevertheless, when managing incidents, it can be challenging to identify and properly follow all the applicable rules and mandatory notifications of different regulators.

To flesh this out, let's compare three main EU regulatory norms with incident reporting obligations — the EU General Data Protection Regulation, Second Payment Services Directive, and Network and Information Security Directive — to find synergies and areas of overlap to provide efficient and simple guidelines for companies that fall under several frameworks.

Personal data breach according to GDPR

Probably the most familiar law regarding incident management obligations is the GDPR. Controllers in the European Economic Area that encounter personal data breaches associated with specific risks are obligated to notify the supervisory authority and, in some cases, the affected persons of the breach.

Guidelines on how to assess risks triggering personal data breach notification with some practical examples were provided by the former Working Party 29, which was replaced by the European Data Protection Board.

Several companies are currently facing huge fines imposed by data protection regulators in relation to data breaches. For example, the U.K.’s Information Commissioner’s Office recently fined British Airways 20 million euros for failing to protect the personal and financial details of more than 400,000 customers. The ICO also fined the Marriott International hotel group 18.4 million pounds, again in relation to the personal data breach inherited during the Starwood acquisition. A telco company in Germany was fined almost 10 million euros for insufficient measures to prevent unauthorized access to personal data.

According to a DLA Piper report published at the beginning of 2020, more than 160,000 data breach notifications were reported across the EU, Norway, Iceland and Liechtenstein since the GDPR entered into force, totaling 114 million euros in fines. All of this data reveals the significant importance of proper data breach management.

Other EU regulations on security incidents

As mentioned above, the GDPR is not the first and only EU legal act that contains incident management requirements. In less than one year, three different legal acts regulating security incidents and related rights and duties were introduced in EU law. The other regulatory frameworks are identified below.

Second Payment Services Directive 

The PSD2 and its providing acts oblige all payment service providers, i.e. banks, electronic money institutions and payment institutions including payment initiation service providers and account information service providers, to implement proper security measures and to manage operational and security incidents. In the event of a major operational or security incident, the payment service provider must notify the competent authority, usually the central bank. The notification shall be done without undue delay. If the incident has or may have an impact on the financial interests of the clients, the payment service provider shall inform the clients of the incident and of all measures that they can take to mitigate risks caused by the incident (Article 96 of the PSD2).

The European Banking Authority published detailed guidelines on how to assess the individual incident and the severity based on seven different aspects, like the number of clients and transactions affected, payment service downtime or the reputational impact of the incident. The guidelines include "standard notification templates" and "the procedures for notifying such incidents."

Network and Information Security Directive  

The NIS Directive regulates the level of security of network and information systems for certain categories of subjects. These subjects are mainly operators of essential services, companies of significant size in areas like electricity production, distribution and transmission, banking, financial market infrastructure, health care etc., and digital service providers, i.e. provider of information society service containing online marketplace, online search engine or cloud computing services.

The above-mentioned categories of organizations are obligated to implement appropriate and proportionate technical and organizational measures and to manage security incidents. They are obliged to notify of incidents with significant impact to the competent authority, national cybersecurity agencies, or to the relevant computer security incident response team, again without undue delay.

All three EU legal acts are in place to protect the different public interests, such as development, protection and security of internal financial market (PSD2), protection of individual privacy and other basic rights (GDPR), and security of network and information systems for vital services (NIS).

Definition of the incident and criteria for the severity assessment, scope of the obliged organizations, notification lines and notification deadlines are different in each legal act. Nevertheless, one specific entity could be in the regime of two, or even of all three regulations, for the same security incident. This may cause a significant increase in the internal complexity and more capacities used for two or three different internal processes at the expense of the security itself.

How to lower the complexity of security incident management

Security incidents in all three EU legal acts are defined in a slightly different way and the same applies to the corresponding processes. To avoid unwanted complexity, the following common measures can be implemented in organizations, which are obliged to manage the incidents within two or three regulatory frameworks:

  • Create a unique internal escalation channel for incident reporting covering all types of incidents including malfunctions of applications or transmission systems, unavailability of internal information, and data breaches. This step may significantly simplify the internal escalation to the employees and give organizations more time to deal with individual incidents.
  • Create one department to assess or coordinate the assessment of all regulatory relevant incidents. This department should be responsible for the incident assessment for the regulation that applies to the specific incident and evaluating its severity by the affected regulation.
  • This approach can help the organization avoid situations where the incidents are assessed in isolation and without consideration of other regulatory obligations. For example, if one department assesses the incident only from a cybersecurity point of view, the organization may fail to consider other regulatory obligations (like notification of the incident to the data protection authority) leading to a breach of law or unjustifiable delays.
  • Create a separate department responsible for notifying and communicating with relevant regulators and affected individuals.One communication tone, style and range of information are important to manage the impact of the incident and to lower related regulatory and reputational risks.
  • Create one register including, among others, description of all incidents, date of occurrence and date of internal escalation, severity, impact on data security (confidentiality, integrity and availability of the information or systems), impact on affected persons, applicable regulations, next steps toward regulators and affected persons, etc. Such a list could help improve internal processes in incident management and information security itself.
  • There should be unified internal training on all incident handling and obligations of each employee. Employees, especially in big companies, are usually overwhelmed with too much training. Having only one training on incident handling, the importance of quick reaction and comprehensive information about internal escalation lines could lower this burden and increase the quality and benefit of the training. This should be a simple and brief procedure, or internal guideline, dealing with the topic in a consolidated manner and providing a practical, at-hand guide with clear, step-by-step instructions on how to proceed in case of an incident.

Conclusion

It is not an easy task to design and implement an efficient incident management system while considering all relevant regulatory aspects. In a time of stringent regulatory requirements in all areas, it is key to look at common points of different regulations and search for areas to integrate into single compliance systems.

Moreover, the effort to unify requirements and simplify reporting processes would be appreciated by regulatory authorities. There is no doubt that having a proper data breach management system is an important topic and each organization could benefit from harmonized rules.

Photo by Scott Graham on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Authors
Headshot František Nonnemann, CIPP/E Nonmember Contributor
Headshot Zuzana Dubská, CIPP/E, CIPM, FIP IAPP Member Contributor
Tags
Financial
Telecommunications
Europe
Cloud Computing
Data Loss
Infosecurity
Privacy Law
Privacy Operations Management
Security Operations Management
Comments

If you want to comment on this post, you need to login.

Related Stories
PSD2 is a game changer for the financial industry
International Banker reports on effects the Second Payment Services Directive will have on the financial industry in the European Union. PSD2 has been created to revise existing legislation in order to improve data sharing, transparency, and customer rights and to mandate banks share customer data w...
Read More queue Save This
How EU regulation will drive fintech competition
Computerworld reports on how the EU General Data Protection Regulation and Payment Services Directive 2 will strengthen the financial technology industry and increase its ability to compete with traditional banking. While the GDPR gives citizens the right to control the use of their data, PSD2 autho...
Read More queue Save This
First EU-wide cybersecurity law goes into effect
The first cybersecurity law to cover the entire European Union has now gone into effect, EURACTIV reports. The law requires entities ranging from water and energy services to search engines and cloud computing service providers to report any cybersecurity breaches to national authorities. Failure to...
Read More queue Save This
Related Stories
Tags
Financial
Telecommunications
Europe
Cloud Computing
Data Loss
Infosecurity
Privacy Law
Privacy Operations Management
Security Operations Management
Recent Comments