First up, some (sort of) good news. A recent global study conducted by Ponemon Institute found that the average cost to a business of a data breach has declined 10% since 2016, to $3.62 million (£2.79m), or $141/£108 per lost and stolen record.
The not-so-good news is that this decline isn’t likely to continue once the forthcoming General Data Protection Regulation (GDPR) comes into force on May 25, 2018. Not just when you consider the swingeing fines for transgressing GDPR (which can include failing to notify of a breach in time), but the increased costs associated with managing the breach in a timely manner.
The bad news is that the same report concluded that the chances of experiencing a data breach are as high as one in four. So, unless you like gambling against these unfavorable odds it is vital that you and your business understand how the procedure after a data breach will change under GDPR.
BlueVenn has strategic relationships with legal and compliance experts, to provide a complete range of services, advice and guidance to help you on your way to GDPR compliance. You can find out more about our GDPR Impact Assessments here, or read a summary of the changes below...
In the UK, data controllers currently have a responsibility to ensure personal data is held securely, but data breaches do not always have to be notified to the regulator (in the UK's case, this is the Information Commissioners Office). While service providers (like an ISP or telecommunications company) do have a duty to inform the ICO, it says of data controllers:
“Under the Data Protection Act (DPA), although there is no legal obligation on data controllers to report breaches of security, we believe that serious breaches should be reported to the ICO.”
Under GDPR, the new Regulation makes informing the relevant people and authorities of a data breach imperative, especially when the breach is in relation to individual freedoms.
1. What constitutes as a ‘personal data breach’?
A personal data breach is one that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, that has been transmitted, stored or otherwise processed.
2. What are some examples of a personal data breach?
A personal data breach is an incident where there is a “risk to the rights and freedoms of individuals”, which could have a “significant detrimental effect” on them. This includes discrimination, damage to reputation, financial loss, loss of confidentiality or other significant economic or social disadvantage. A breach can include the following examples:
- A doctor or health organization accidentally sharing medical data with the wrong patient
- The leak of private photos from a cloud storage app
- The loss or theft of a computer, laptop or memory stick that contains a database of customer records
Read more about GDPR
- GDPR: Seven questions about marketing consent
- GDPR: Seven questions about data subject rights
- GDPR: Four questions about data profiling
- GDPR: Four questions about data and 'legitimate interests'
- GDPR: Seven questions about personal data breaches
3. How soon must you notify regulators about a personal data breach?
In instances that conform to the above, data controllers shall inform regulators (the ICO) “not later than 72 hours” after discovering the breach, or “without undue delay”. Should this notification not be made in time, then there must be “reasoned justification” for the delay. This phrasing seems to be deliberately vague to cover a wide range of eventualities.
However, it is important to point out that 72 hours is a very short space of time to learn about a breach, the impact it has, remediate the damage, notify those involved and relay all this information to the regulator.
4. Who else am I required to inform?
Along with the regulators, where a data breach is likely to be a high risk to the rights and freedoms of individuals, your company is required to communicate the nature of the breach, in plain English, to the data subject concerned, “without undue delay”.
5. Are there any exceptions?
There are some circumstances when the notification to the data subject is not required, including:
If your organization has implemented protection measures in respect to the personal data affected by the breach (encryption, for example).
If your organization has taken subsequent measures to ensure that high risk to the rights and freedoms of individuals is no longer likely to arise.
It would involve ‘disproportionate’ effort, although details of what can be considered disproportionate have not been made clear.
6. What are the fines for non-compliance?
Under the existing Data Protection Act, the ICO can issue fines of up to $648,000 (£500,000). Failure to comply with GDPR could result in a fine of 10 million Euros (£8.7m/$11.3m) or 2% of annual global turnover (whichever is greater). More serious contraventions could lead to a 20 million Euro fine (£17.9m/$22.7m), or 4% of global annual turnover.
7. How does this affect companies outside of the European Union?
The short answer is that if your company does any form of trade with customers within the EU, then GDPR rules will apply to you if you store, process or share EU citizens’ personal data. You can read more about this in our blog post.
It is especially worth noting that GDPR has a far broader definition of what constitutes as a personal data breach when compared to the basic level of state laws in the US. The International Association of Privacy Professionals website goes into more data about this topic here.
The General Data Protection Regulation White Paper
A practical guide for businesses
This White Paper, created by BlueVenn in collaboration with data protection specialists, provides a thorough look at how GDPR will change existing laws, and offers suggestions for what you can do now to prepare for GDPR. This White Paper also covers:
- The global scope of GDPR
- How GDPR will change consent, processing and profiling
- The new rights for data subject
- Guidelines for Data Protection Officers
- Liabilities, penalties and enforcement