Data protection and privacy become a public focus whenever a data breach fills headlines. This time, the European Union’s General Data Protection Regulation (GDPR) is receiving more attention and anticipation with the recent reports of data breaches. Weeks ahead of its enforcement, security experts are starting to look at breaches through the lens of the stricter standards of the GDPR.
A data breach can result in the loss or exposure of millions of private records. It can impact not only the breached organization, but also customers or users whose information has been stolen or lost (including to a ransomware attack), which is the root of the widespread publicity around data breaches. Cybercriminals gaining access to different kinds of data could lead to a wide variety of crimes or attacks, from lost intellectual property to identity theft.
Under the GDPR, data breaches can highlight an organization’s noncompliance, which could ultimately lead to both fines (up to €20 million or 4 percent of global revenue, whichever is higher) and/or the cessation of data processing operations with EU member states, a result that could be crippling for an enterprise. This is because the GDPR has provisions that recognize the many detrimental implications of data breaches involving personal data. Abiding by the GDPR can help organizations plan a stronger defense against data breaches and other cyberthreats, as well as provide transparency on data processing for data subjects and regulatory bodies.
Data Breach Notification Under the GDPR
Not all countries or regions have data breach notification laws or provide guidelines for reporting. But while organizations can opt not to report data breaches, breach notification is a strategic decision. The timing of breach announcement is crucial because at stake is not only the safety of affected persons but also the organization’s public image and customer trust.
The GDPR leaves no room for ambiguity in terms of transparency and user control, introducing provisions that govern how early and to whom a personal data breach must be made known. It also imposes strict fines in case organizations do not meet its notification requirements.
Who should be notified about a data breach, and when?
Organizations must report a personal data breach without delay, within 72 hours of the discovery if possible, when there is a risk to affected individuals.
Failure to notify authorities of a breach when deemed necessary may result in a fine of up to 10 million euros or 2 percent of an organization’s global turnover.
Organizations acting as data controllers must notify their supervisory authority, unless the data breach is unlikely to cause a risk to individuals’ rights and freedoms. Data processors have the responsibility to inform data controllers without undue delay that a personal data breach had taken place.
Affected individuals must also be notified if the data breach is likely to pose a “high risk” to their rights and freedoms. The GDPR elaborates that risks may include a loss of control over personal data, financial loss, identity theft, and damage to reputation, among others. In the case of organizations acting as data processors, the data controller must be notified without delay.
The GDPR allows organizations to send the information about a breach in phases, as long as an initial notification has been made within the 72 hour deadline. Delays to the full report and any steps the organization has taken in response to the breach must be well documented for the final report to the supervisory authority.
When is notification to affected data subjects not necessary?
The controller has implemented appropriate technical and organizational protection measures, such as the sufficient encryption of the involved personal data.
The controller has taken measures which ensure that the high risk to data subjects is no longer likely to materialize.
It would involve disproportionate effort. In such a case, a public communication or a similar measure can be done.
What must data breach notifications to supervisory authorities contain?
To help the supervisory authority verify GDPR compliance, data controllers need to document any personal data breach, stating the following:
The facts related to the breach
The effects of the breach
The remedial actions taken by the controller
A description of the nature of the data breach, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned
The name and contact details of the data protection officer (DPO) or other contact point where more information can be obtained
A description of the likely consequences of the personal data breach
A description of the measures taken or proposed to be taken by the organization to address the breach, including measures for the organization and the affected individuals to mitigate its possible adverse effects
How can organizations prevent data breaches?
A good defense tactic is to assume compromise and prepare countermeasures:
Quickly identify and respond to ongoing security breaches
Contain the breach
Prevent breaches by securing all exploitable avenues
Apply lessons learned to further strengthen defenses
However important it is for organizations to be prepared to handle data breaches — especially under the GDPR — it is still in the best interest of organizations to prevent a data breach if possible.
Prevention is vital for organizations to avoid the consequences of a data breach. Preventive measures also protect the personal information of its users or customers, aligning with the intent of the GDPR. The GDPR puts protection and privacy into the forefront of any controller’s data processing by its data protection by design and default facet, as well as its state-of-the-art technology component.
Here are measures organizations can take to prevent data breaches from happening.
Know and map your data. Identify what types of data your organization is processing, singling out those that need to be deleted or might need stricter privacy controls. Become familiar with where data is going, where it is stored, and the pathways in between your data takes to get from one part of the process to another.
Employ as many critical controls as possible. The Center for Internet Security (CIS), an independent global nonprofit entity, created a list of critical controls and best practices for computer security that undergoes regular updates. The list covers basics such as controlled admin privileges as well as organizational ones like penetration tests.
Defend against insider attacks. Technical steps to prevent insider attacks include monitoring and logging activities, especially regarding who has access to certain types of data. Nontechnical means of security against an insider attack involve employee management through close cooperation with human resources. These entail conducting thorough background checks, observing workplace behavior, and implementing good security practices.
Ensure privacy awareness in all sectors of the organization. Make data privacy and protection a shared responsibility for everyone in the organization. It promotes accountability for handling data, as well as fosters a culture of security. Key to this is employee education and training, not only on security but also on key regulations like the GDPR.
Expand your protection beyond your organization. Look beyond your own company borders. Data breaches can come from unexpected weak links that are part of the data processing workflow but not of your organization. For instance, require that third-party suppliers are committed (via contracts) and taking action to be secure and compliant with the GDPR.
Invest in state-of-the-art cybersecurity. Improve current IT solutions with a defense that can protect the entire enterprise — from user devices to cloud environments — using meaningful security analysis, threat data sharing, tested incident response capabilities, and centralized visibility across security arsenals.