News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Daily Dashboard | Top 10 operational impacts of the GDPR: Part 1 – data security and breach notification Related reading: NIS + GDPR = A New Breach Regime in the EU

rss_feed

""

""

The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.

Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.

With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.

This is the first in a series of articles addressing the top 10 operational impacts of the GDPR.

GDPR Enhances Data Security and Breach Notification Standards

Data security plays a prominent role in the new General Data Protection Regulation (GDPR) reflecting its symbiotic relationship with modern comprehensive privacy regimes.

Compared to Directive 95/46/ec, the GDPR imposes stricter obligations on data processors and controllers with regard to data security while simultaneously offering more guidance on appropriate security standards. The GDPR also adopts for the first time specific breach notification guidelines.

Security of data processing standards

The GDPR separates responsibilities and duties of data controllers and processors, obligating controllers to engage only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the GDPR’s requirements and protect data subjects’ rights. Processors must also take all measures required by Article 32, which delineates the GDPR’s “security of processing” standards.

Under Article 32, similarly to the Directive’s Article 17, controllers and processors are required to “implement appropriate technical and organizational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural presons.” Unlike the Directive, however, the GDPR provides specific suggestions for what kinds of security actions might be considered “appropriate to the risk,” including:

  • The pseudonymisation and encryption of personal data.
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Controllers and processors that adhere to either an approved code of conduct or an approved certification mechanism — as described in Article 40 and Article 42 — may use these tools to demonstrate compliance with the GDPR’s security standards.

For additional guidance on security standards, controllers and processors may consider the Recitals, in particular Recitals 49 and 71, which allow for processing of personal data in ways that may otherwise be improper when necessary to ensure network security and reliability.

“Personal data breach” notification standards

Unlike the Directive, which was silent on the issue of data breach, the GDPR contains a definition of “personal data breach,” and notification requirements to both the supervisory authority and affected data subjects.

“Personal data” is defined in both the Directive and the GDPR as “any information relating to an identified or identifiable natural person (“data subject”).” Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This broad definition differs from that of most U.S. state data breach laws, for example, which typically are triggered only upon exposure of information that can lead to fraud or identity theft, such as financial account information.

In the event of a personal data breach, data controllers must notify the  supervisory authority "competent under Article 55" which is most likely (looking to Article 56(1)) the supervisory authority of the member state where the controller has its main establishment or only establishment, although this is not entirely clear. Notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.

Article 33(1) contains a key exception to the supervisory authority notification requirement: Notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons,” a phrase that will no doubt offer data protection officers and their outside counsel opportunities to debate the necessity of notification.

A notification to the authority must “at least”: (1) describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected; (2) provide the data protection officer’s contact information; (3) “describe the likely consequences of the personal data breach”; and (4) describe how the controller proposes to address the breach, including any mitigation efforts. If not all information is available at once, it may be provided in phases.

When a data processor experiences a personal data breach, it must notify the controller but otherwise has no other notification or reporting obligation under the GDPR.

If the controller has determined that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” it must also communicate information regarding the personal data breach to the affected data subjects. Under Article 34, this must be done “without undue delay.”

The GDPR provides exceptions to this additional requirement to notify data subjects in the following circumstances: (1) the controller has “implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption”; (2) the controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialize; or (3) when notification to each data subject would “involve disproportionate effort,” in which case alternative communication measures may be used.

Assuming the controller has notified the appropriate supervisory authority of a personal data breach, its discretion to notify data subjects is limited by the DPA’s ability, under Article 34(4), to require notification or conversely to determine it is unnecessary under the circumstances.

Harmonization

Data breach notification is possibly most firmly established globally in the U.S. There, “reasonable” security standards are still being defined and nearly every U.S. state has a different breach notification law, which has led to some consternation among privacy professionals. The GDPR’s uniform application across EU member states should at least provide predictability and thus efficiencies to controllers and processors seeking to establish compliant data security regimes and breach notification procedures across the entirety of the 28 member states. Nonetheless, the GDPR's reference to a "competent supervisory authority" suggests notification may need to be made to more than one supervisory authority depending on the circumstances, and the ambiguity of a number of terms such as "undue delay," likelihood of risk to rights and freedoms," and "disproportionate effort" all remain to be further clarified and defined in practice.

Where to find the rules

Looking to dive deeper into the General Data Protection Regulation to read the text regarding cybersecurity and breach notification for yourself? Find the full text of the Regulation here in our Resource Center.

You’ll want to focus on these portions:

Recitals

(39) Any processing of personal data should be lawful and fair. … Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

(49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems. 

(71) The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing … However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law, to which the controller is subject, including … to ensure the security and reliability of a service provided by the controller….

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

Articles

Article 4, Definitions

– 1 personal data

– 12 personal data breach

Art 28, Processor

– 1 and 3(c)

Article 32, Security of processing

Article 33, Notification of a personal data breach to the supervisory authority

Article 34, Communication of a personal data breach to the data subject

Article 40, Codes of Conduct

Article 42, Certification

Author
Headshot Rita Heimes, CIPP/E, CIPP/US, CIPM IAPP Staff Contributor
Tags
Europe
Enforcement
Infosecurity
13 Comments

If you want to comment on this post, you need to login.

  • comment jeroen jongenelen • Jan 7, 2016 
    Hello Rita,

You state that once the GDPR is formally adopted sometime this spring, it will be directly applicable in each member state. However article 91 (2) states "It shall apply from [two years from the date referred to in paragraph 1] where the date referred to in paragraph 1 is the date of adoption sometimes this spring. Can you explain the direct applicability?
  • comment Sam • Jan 7, 2016 
    Hi Joren - that's just a manner of speech to say that it applies to all 28 member states and does not need to be reinterpreted by every member state, like the Directive before it. Later, we note, "once it comes into force in the spring of 2018."
  • comment Marc Vrijhof • Jan 8, 2016 
    In reaction to Jeroen's question and the respons given the following: 
In the Official Journal of EU (12.9.2015 EN Official Journal of the European Union C 301/1) the EDPS states that "the GDPR will enter into force 20 days after its publication in the Official Journal and is expected to be fully applicable two years after its entry into force (Article 91)".

Question: How is the word "fully" to be understood? Is the regulation only fully applicable to collections formed after the date of publication and are the collections formed prior to publication given two years to adopt? Or are certain parts of the regulation immediately applicable and are controllers and processors given two years to comply with to the differences between the Directive and the Regulation?
  • comment Marcin Lewoszewski • Jan 15, 2016 
    Hello Marc,

I hope Recital 134 can answer some of your questions:

"Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the way the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed."

Best,

Marcin Lewoszewski
  • comment Alex Wall • Jan 18, 2016 
    I wonder whether breached data that is encrypted at rest would justify a determination that “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals" and would therefore allow an organization to not report a breach of encrypted data?
  • comment Jim McNeill • Jan 27, 2016 
    It's a pity that the regulation didn't point to an applicable ISO standard for security compliance - an opportunity wasted?
  • comment Jason Rusch • Aug 9, 2016 
    Thank you for the great article.
  • comment Edward Roseman • Apr 3, 2017 
    Hi,
Can someone please advice me on the following, I am trying to find good quality information on how the new regulation compares to the approach taken by non European countries which compete directly with the EU in the single market. any advice please?

Also, great article! Thanks
  • comment Sam Pfeifle • Apr 4, 2017 
    Hi Edward, 

I'm afraid I haven't seen an analysis with that particular angle. However, I can say that the EU's regulation is the most comprehensive in the Western World. The only comparable law would likely be Korea's, or perhaps Japan's, though I haven't studied either in great depth yet, as I don't have a great English translation of either. We're working on building out our Asian privacy information.
  • comment Syed Irfan • Aug 7, 2017 
    Hi Rita,
I have a small question.

Do Processors have any obligations of data retention like controllers? 
GDPR suggests that Data needs to be deleted by controller when it is not required for processing. However it might have to be retained for certain period of time beyond its usefulness to fulfill certain legislative requirements. Now if a 3rd party service provider is processing the client's Employee personal data for specific purpose and that purpose is complete, then does the service provider hold on to data to meet legislative requirements or just pass on the data to controller and controller has the onus to retain that?

Please help me with this.

Thanks.
  • comment Rita Heimes • Aug 9, 2017 
    Hi, Syed. If I understand your question correctly, I believe at least part of the answer can be found in Article 28, especially subsection 3(g). In essence, the controller is obliged to pass along to the processor all of the controller's duties to the data subject. In the real world, vendor (processor) agreements consistently require processors to return data, and to delete any retained copies, at the conclusion of the business relationship. This serves the processor as well because it now does not keep data that might be vulnerable to breach. Under Article 28(3)(g), the controller's contract with the processor should "at the choice of the controller," require that the processor "deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data."
  • comment tg kavya • May 3, 2018 
    Hi article is nice,
but still GDPR awareness is required ,
The EU Law General Data Protection Regulation Awareness – GDPR is a law on data protection and privacy for all individuals. It addresses the export of personal data by the outsiders. The General data protection regulation was approved by the EU Parliament on 14 April 2016 and going to Implement on 25 May 2018.
<a href="http://beyondcorner.com/eu-law-general-data-protection-regulation-awareness-gdpr/" rel="nofollow">Requirements and GDPR overview definition</a> i hope this may be use full.
  • comment tg kavya • May 3, 2018 
    Hi article is nice, but still GDPR awareness is required , The EU Law General Data Protection Regulation Awareness – GDPR is a law on data protection and privacy for all individuals. It addresses the export of personal data by the outsiders. The General data protection regulation was approved by the EU Parliament on 14 April 2016 and going to Implement on 25 May 2018.
for more information follow the URL
http://beyondcorner.com/eu-law-general-data-protection-regulation-awareness-gdpr/
Related Stories
NIS + GDPR = A New Breach Regime in the EU
European lawmakers capped off a blockbuster week for privacy with an important step towards the first comprehensive information security legislation in the EU. The Network Information Security (NIS) Directive was initially proposed by the European Commission in February 2013 to raise cybersecurity c...
Read More queue Save This
GDPR: We Have Agreement
2
On January 25, 2012, the European Commission first proposed a new data protection framework to replace the rapidly decaying Directive of 1995. Yesterday, following a long day of trilogue negotiations, the European Parliament and Council announced they have reached an agreement to a consolidated text...
Read More queue Save This
The GDPR Is Here: What's a Privacy Pro To Do Next?
Tuesday night, the European Parliament and Council announced that, after years of negotiating, they've reached an agreement on a consolidated text of a brand-new General Data Protection Regulation. The Luxembourg Presidency of the Council of the European Union called it a "historic agreement," while...
Read More queue Save This
Podcast: How To Interpret the New GDPR
At long last, a compromise text is available and it looks like the four-year quest for a new data protection regime in the European Union is coming to a close. The Parliament's LIBE Committee will vote on the General Data Protection Regulation (GDPR) text on Thursday, December 16, and everyone expec...
Read More queue Save This
Where to find the rules

Looking to dive deeper into the General Data Protection Regulation to read the text regarding cybersecurity and breach notification for yourself? Find the full text of the Regulation here in our Resource Center.

You’ll want to focus on these portions:

Recitals

(39) Any processing of personal data should be lawful and fair. … Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

(49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems. 

(71) The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing … However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law, to which the controller is subject, including … to ensure the security and reliability of a service provided by the controller….

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

Articles

Article 4, Definitions

– 1 personal data

– 12 personal data breach

Art 28, Processor

– 1 and 3(c)

Article 32, Security of processing

Article 33, Notification of a personal data breach to the supervisory authority

Article 34, Communication of a personal data breach to the data subject

Article 40, Codes of Conduct

Article 42, Certification

Related Stories
Tags
Europe
Enforcement
Infosecurity
Recent Comments