TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Top 10 operational impacts of the GDPR: Part 1 – data security and breach notification Related reading: NIS + GDPR = A New Breach Regime in the EU

rss_feed
iapp-privacycore
PrivacyTraining_ad300x250.Promo1-01
GDPR-Ready_300x250-Ad

The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.

Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.

With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.

This is the first in a series of articles addressing the top 10 operational impacts of the GDPR.

GDPR Enhances Data Security and Breach Notification Standards

Data security plays a prominent role in the new General Data Protection Regulation (GDPR) reflecting its symbiotic relationship with modern comprehensive privacy regimes.

Compared to Directive 95/46/ec, the GDPR imposes stricter obligations on data processors and controllers with regard to data security while simultaneously offering more guidance on appropriate security standards. The GDPR also adopts for the first time specific breach notification guidelines.

Security of data processing standards

The GDRP separates responsibilities and duties of data controllers and processors, obligating controllers to engage only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the GDPR’s requirements and protect data subjects’ rights. Processors must also take all measures required by Article 32, which delineates the GDPR’s “security of processing” standards.

Under Article 32, similarly to the Directive’s Article 17, controllers and processors are required to “implement appropriate technical and organizational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural presons.” Unlike the Directive, however, the GDPR provides specific suggestions for what kinds of security actions might be considered “appropriate to the risk,” including:

  • The pseudonymisation and encryption of personal data.
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Controllers and processors that adhere to either an approved code of conduct or an approved certification mechanism — as described in Article 40 and Article 42 — may use these tools to demonstrate compliance with the GDPR’s security standards.

For additional guidance on security standards, controllers and processors may consider the Recitals, in particular Recitals 49 and 71, which allow for processing of personal data in ways that may otherwise be improper when necessary to ensure network security and reliability.

“Personal data breach” notification standards

Unlike the Directive, which was silent on the issue of data breach, the GDPR contains a definition of “personal data breach,” and notification requirements to both the supervisory authority and affected data subjects.

“Personal data” is defined in both the Directive and the GDPR as “any information relating to an identified or identifiable natural person (“data subject”).” Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This broad definition differs from that of most U.S. state data breach laws, for example, which typically are triggered only upon exposure of information that can lead to fraud or identity theft, such as financial account information.

In the event of a personal data breach, data controllers must notify the  supervisory authority "competent under Article 55" which is most likely (looking to Article 56(1)) the supervisory authority of the member state where the controller has its main establishment or only establishment, although this is not entirely clear. Notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.

Article 33(1) contains a key exception to the supervisory authority notification requirement: Notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons,” a phrase that will no doubt offer data protection officers and their outside counsel opportunities to debate the necessity of notification.

A notification to the authority must “at least”: (1) describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected; (2) provide the data protection officer’s contact information; (3) “describe the likely consequences of the personal data breach”; and (4) describe how the controller proposes to address the breach, including any mitigation efforts. If not all information is available at once, it may be provided in phases.

When a data processor experiences a personal data breach, it must notify the controller but otherwise has no other notification or reporting obligation under the GDPR.

If the controller has determined that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” it must also communicate information regarding the personal data breach to the affected data subjects. Under Article 34, this must be done “without undue delay.”

The GDPR provides exceptions to this additional requirement to notify data subjects in the following circumstances: (1) the controller has “implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption”; (2) the controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialize; or (3) when notification to each data subject would “involve disproportionate effort,” in which case alternative communication measures may be used.

Assuming the controller has notified the appropriate supervisory authority of a personal data breach, its discretion to notify data subjects is limited by the DPA’s ability, under Article 34(4), to require notification or conversely to determine it is unnecessary under the circumstances.

Harmonization

Data breach notification is possibly most firmly established globally in the U.S. There, “reasonable” security standards are still being defined and nearly every U.S. state has a different breach notification law, which has led to some consternation among privacy professionals. The GDPR’s uniform application across EU member states should at least provide predictability and thus efficiencies to controllers and processors seeking to establish compliant data security regimes and breach notification procedures across the entirety of the 28 member states. Nonetheless, the GDPR's reference to a "competent supervisory authority" suggests notification may need to be made to more than one supervisory authority depending on the circumstances, and the ambiguity of a number of terms such as "undue delay," likelihood of risk to rights and freedoms," and "disproportionate effort" all remain to be further clarified and defined in practice.

11 Comments

If you want to comment on this post, you need to login.

  • comment jeroen jongenelen • Jan 7, 2016
    Hello Rita,
    
    You state that once the GDPR is formally adopted sometime this spring, it will be directly applicable in each member state. However article 91 (2) states "It shall apply from [two years from the date referred to in paragraph 1] where the date referred to in paragraph 1 is the date of adoption sometimes this spring. Can you explain the direct applicability?
  • comment Sam • Jan 7, 2016
    Hi Joren - that's just a manner of speech to say that it applies to all 28 member states and does not need to be reinterpreted by every member state, like the Directive before it. Later, we note, "once it comes into force in the spring of 2018."
  • comment Marc Vrijhof • Jan 8, 2016
    In reaction to Jeroen's question and the respons given the following: 
    In the Official Journal of EU (12.9.2015 EN Official Journal of the European Union C 301/1) the EDPS states that "the GDPR will enter into force 20 days after its publication in the Official Journal and is expected to be fully applicable two years after its entry into force (Article 91)".
    
    Question: How is the word "fully" to be understood? Is the regulation only fully applicable to collections formed after the date of publication and are the collections formed prior to publication given two years to adopt? Or are certain parts of the regulation immediately applicable and are controllers and processors given two years to comply with to the differences between the Directive and the Regulation?
  • comment Marcin Lewoszewski • Jan 15, 2016
    Hello Marc,
    
    I hope Recital 134 can answer some of your questions:
    
    "Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the way the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed."
    
    Best,
    
    Marcin Lewoszewski
  • comment Alex Wall • Jan 18, 2016
    I wonder whether breached data that is encrypted at rest would justify a determination that “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals" and would therefore allow an organization to not report a breach of encrypted data?
  • comment Jim McNeill • Jan 27, 2016
    It's a pity that the regulation didn't point to an applicable ISO standard for security compliance - an opportunity wasted?
  • comment Jason Rusch • Aug 9, 2016
    Thank you for the great article.
  • comment Edward Roseman • Apr 3, 2017
    Hi,
    Can someone please advice me on the following, I am trying to find good quality information on how the new regulation compares to the approach taken by non European countries which compete directly with the EU in the single market. any advice please?
    
    Also, great article! Thanks
  • comment Sam Pfeifle • Apr 4, 2017
    Hi Edward, 
    
    I'm afraid I haven't seen an analysis with that particular angle. However, I can say that the EU's regulation is the most comprehensive in the Western World. The only comparable law would likely be Korea's, or perhaps Japan's, though I haven't studied either in great depth yet, as I don't have a great English translation of either. We're working on building out our Asian privacy information.
  • comment Syed Irfan • Aug 7, 2017
    Hi Rita,
    I have a small question.
    
    Do Processors have any obligations of data retention like controllers? 
    GDPR suggests that Data needs to be deleted by controller when it is not required for processing. However it might have to be retained for certain period of time beyond its usefulness to fulfill certain legislative requirements. Now if a 3rd party service provider is processing the client's Employee personal data for specific purpose and that purpose is complete, then does the service provider hold on to data to meet legislative requirements or just pass on the data to controller and controller has the onus to retain that?
    
    Please help me with this.
    
    Thanks.
  • comment Rita Heimes • Aug 9, 2017
    Hi, Syed. If I understand your question correctly, I believe at least part of the answer can be found in Article 28, especially subsection 3(g). In essence, the controller is obliged to pass along to the processor all of the controller's duties to the data subject. In the real world, vendor (processor) agreements consistently require processors to return data, and to delete any retained copies, at the conclusion of the business relationship. This serves the processor as well because it now does not keep data that might be vulnerable to breach. Under Article 28(3)(g), the controller's contract with the processor should "at the choice of the controller," require that the processor "deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data."