This update aims to provide you with a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR), applicable as from 25 May 2018. This month’s issue discusses the security of personal data and the procedures to be followed in the event of a personal data breach.
Protection of personal data under the GDPR As data security requirements also exist under the Data Protection Directive (Directive 95/46/EC) many companies have already adopted technical and organisational security measures to protect personal data. However, these security requirements will be extended under the GDPR. The GDPR also contains a data breach notification obligation, similar to the data breach obligations that were introduced in the Netherlands last year.
Security measures The current Data Protection Directive requires data controllers to contractually impose data security requirements on data processors.
The GDPR now imposes these requirements directly upon data processors, and exposes data processors to fines, penalties and compensation claims for failure to comply with these requirements. Consequently, the level of risk faced by data processors under the GDPR is significantly increased. In next month’s GDPR Update, we will discuss the new obligations for data processors in further detail.
Under the GDPR, both data controllers and data processors must implement appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorized disclosure or access. Depending on the nature, scope, context and purposes of the processing, these measures may include:
- pseudonymisation and encryption of the personal data;
- on-going review of security measures and processing systems and services;
- redundancy and back-up facilities; and
- regular testing of the security measures.
If your business involves the processing personal data through mobile applications or web services, please note that the European Data Protection Supervisor has published guidelines in this respect, which can be seen as a list of best practices.
Notification of a personal data breach to the supervisory authority and data subjects The importance of adequate security measures will drastically increase with the introduction of a data breach notification obligation in the GDPR.
A ‘data breach’ is defined in the GDPR as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
A data breach can take many forms: from a person entering a building and accessing or even taking personal data, to the more infamous example of a hacker. A lost phone, laptop or USB-stick can also be regarded as a data breach.
When a data breach is discovered, the data controller will immediately have to notify this breach to the competent supervisory authority and, in certain situations, also to the data subjects concerned.
Who, what & when to notify As the data breach notification to the competent supervisory authority has to be made immediately (without undue delay,and at least within 72 hours after the data controller has become aware of the data breach), it will be too late to draw up a plan of action once a data breach is actually discovered. Therefore, as from 25 May 2018, each organization will need to have a (proactive and reactive) action plan in place for the unlikely event of a data breach.
Ideally, the data controller provides all information concerning the data breach to the competent supervisory authority. This information should at least include:
a description of the nature of the breach;
contact details of the responsible data protection officer or any other contact person;
likely consequences of the breach; and
proposed and imposed measures that were taken to limit harmful effects.
If the data controller is not able to provide all the information at once, he is still obliged to notify the data breach to the authority within the stipulated time frame. The remainder of the required information must be provided at a later stage, directly after it has become available to the data controller.
The data breach notification is not required in case the data breach is ‘unlikely’ to result in a risk for the rights and freedoms of data subjects. If the data breach is ‘likely’ to pose a ‘high risk’ to fundamental rights or freedom of natural persons, the data controller is obliged to (also) inform the relevant data subjects of the data breach. Also this notification needs to be made ‘without undue delay’. In order to be prepared for this new requirement, data controllers may use the coming months to compile and/or update their data subject contact information.
The notification to the data subjects should in any case describe in clear language the nature of the data breach, as well as contact details of the data protection officer or the data controller, an overview of likely consequences of the breach, and the measures taken or proposed to be taken to limit the harmful consequences of the data breach.
Exceptions to notifying the data subject exist i) if appropriate (technical or organisational) protective measures were in place making the data illegible for third parties (e.g. encrypted data), ii) if the risk is no longer likely to materialize or iii) if informing the data subjects would involve disproportionate efforts. These grounds are to be interpreted strictly.
If a data processor becomes aware of a data breach, the data processor is obliged to inform the data controller thereof without undue delay.
What do these changes mean for your organisation and how can you prepare for them?
Consider whether it is necessary to take (additional) data security measures such as pseudonymisation or encryption of personal data.
Identify the competent supervisory authorities that must be notified in case of a data breach.
Set up internal procedures and protocols and appoint responsible persons for identifying, reviewing and notifying data breaches.
Compile list of relevant contact details of data subjects.
Ensure that data processing agreements contain an obligation for the data processor to fully cooperate with the data controller in case a data breach occurs (for example by providing details about the breach to the data controller or to the supervisory authority).