Compared to the current legal framework, the new General Data Protection Regulation (GDPR) contains stricter obligations with regard to data security, data breach notifications and data subject notifications. Therefore, many companies have already started preparing compliance, given that many of these obligations will require time to implement.
The GDPR requires both data processors and data controllers to implement appropriate security measures on every level of data processing.
In this regard, the GDPR provides specific suggestions, such as, but not limited to:
- The pseudonymisation and encryption of personal data.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing, for example approved and tested codes of conduct, certifications and guidelines.
In assessing the appropriate level of security, data controllers and data processors are required to take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
In particular, the risk would be higher with regards to large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level, which could affect a large number of data subjects and which are thus likely to result in a high risk, for example, on account of their sensitivity. For example, the storing of patient files in the cloud by a hospital shall have a higher risk profile than a customer loyalty program of an independent hairdresser, due to the large scale of the processing operation and the sensitive nature of the patient data.
Data Breach Notification
A data breach is a security incident in which sensitive, protected or confidential personal data is intentionally or unintentionally released to an untrusted environment or copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Such incidents range from concerted attacks with the backing of organized crime or national governments to careless disposal of used computer equipment or data storage media.
Under the GDPR, the data controller shall have to notify a data breach to the supervisory authority without undue delay and, where feasible, within 72 hours of awareness. If this timeframe is not met, the untimely notification must be accompanied with reasons justifying the delay.
The data breach notification must contain information including, among others:
- the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- a description of the likely consequences of the data breach;
- a description of the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
There is one key exception to the notification obligation. Notification is not required if the data breach is unlikely to result in a “risk to the rights and freedoms of natural persons”. The preamble of the GDPR determines that a risk to the rights and freedoms of individuals may consist of physical, material or non-material damage such as identity theft or fraud, financial loss, discrimination or reputational damage.
Lastly, the data controller shall also be required to maintain an internal data breach register, allowing the supervisory authority to verify compliance with the GDPR if needed.
In the event that the data processor becomes aware of a data breach, it must notify the data controller thereof. The data processor himself has no other notification or reporting obligations.
Data Subject Notification
In certain cases, the GDPR also requires a notification of data breaches to data subjects. If the data controller has determined that the data breach “is likely to result in a high risk to the rights and freedoms of individuals” it must also communicate - without undue delay - information regarding the data breach to the affected data subjects.
The GDPR does not further precise the distinction between “high risk” with regard to data subject notification and “risk” with regard to data breach notification. Therefore, this phrase will surely become the object of many discussions regarding the necessity of data subject notification.
The GDPR sets forth three exceptions whereby the data controller shall not be required to notify data subjects:
- the controller has implemented appropriate technical and organizational protection measures that render the data unintelligible to any person who is not authorized to access it, such as encryption;
- the controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialize, such as the full recovery or destruction of the leaked data, so that the data is not in the hands of a third party;
- when notification to each data subject would involve disproportionate effort, in which case alternative communication measures may be used, such as a public information campaign.
To Do List
The practical implementation of the above described new legal requirements is challenging. This is not in the least because of the ambiguity of certain terms such as "undue delay", “likelihood of/(high) risk to rights and freedoms" and "disproportionate effort", which remain to be further clarified and defined in practice.
Also, companies may want to prepare themselves to meet these additional requirements by:
- Developing clear policies and procedures to ensure a timely reaction to data breaches, including notification procedures, incident identification systems and incident response plans;
- Practicing and testing such procedures on a regular basis;
- Investing in the implementation of appropriate technical and organizational measures to ensure data security.
The regulation can be accessed here. It will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all member states two years after this date of publication.