Data protection and privacy become a public focus whenever a data breach fills headlines. This time, the European Union’s General Data Protection Regulation (GDPR) is receiving more attention and anticipation with the recent reports of data breaches. Weeks ahead of its enforcement, security experts are starting to look at breaches through the lens of the stricter standards of the GDPR.
A data breach can result in the loss or exposure of millions of private records. It can impact not only the breached organization, but also customers or users whose information has been stolen or lost (including to a ransomware attack), which is the root of the widespread publicity around data breaches. Cybercriminals gaining access to different kinds of data could lead to a wide variety of crimes or attacks, from lost intellectual property to identity theft.
Under the GDPR, data breaches can highlight an organization’s noncompliance, which could ultimately lead to both fines (up to €20 million or 4 percent of global revenue, whichever is higher) and/or the cessation of data processing operations with EU member states, a result that could be crippling for an enterprise. This is because the GDPR has provisions that recognize the many detrimental implications of data breaches involving personal data. Abiding by the GDPR can help organizations plan a stronger defense against data breaches and other cyberthreats, as well as provide transparency on data processing for data subjects and regulatory bodies.
Not all countries or regions have data breach notification laws or provide guidelines for reporting. But while organizations can opt not to report data breaches, breach notification is a strategic decision. The timing of breach announcement is crucial because at stake is not only the safety of affected persons but also the organization’s public image and customer trust.
The GDPR leaves no room for ambiguity in terms of transparency and user control, introducing provisions that govern how early and to whom a personal data breach must be made known. It also imposes strict fines in case organizations do not meet its notification requirements.
Organizations must report a personal data breach without delay, within 72 hours of the discovery if possible, when there is a risk to affected individuals.
Failure to notify authorities of a breach when deemed necessary may result in a fine of up to 10 million euros or 2 percent of an organization’s global turnover.
Organizations acting as data controllers must notify their supervisory authority, unless the data breach is unlikely to cause a risk to individuals’ rights and freedoms. Data processors have the responsibility to inform data controllers without undue delay that a personal data breach had taken place.
Affected individuals must also be notified if the data breach is likely to pose a “high risk” to their rights and freedoms. The GDPR elaborates that risks may include a loss of control over personal data, financial loss, identity theft, and damage to reputation, among others. In the case of organizations acting as data processors, the data controller must be notified without delay.
The GDPR allows organizations to send the information about a breach in phases, as long as an initial notification has been made within the 72 hour deadline. Delays to the full report and any steps the organization has taken in response to the breach must be well documented for the final report to the supervisory authority.
However important it is for organizations to be prepared to handle data breaches — especially under the GDPR — it is still in the best interest of organizations to prevent a data breach if possible.
Prevention is vital for organizations to avoid the consequences of a data breach. Preventive measures also protect the personal information of its users or customers, aligning with the intent of the GDPR. The GDPR puts protection and privacy into the forefront of any controller’s data processing by its data protection by design and default facet, as well as its state-of-the-art technology component.
Here are measures organizations can take to prevent data breaches from happening.
Watch our video case study to see how Trend Micro is preparing for the GDPR.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.