Guest Blog copied from UCToday by Ian Bevington, Marketing Manager at Oak Innovation – part of a series on GDPR, available at the Oak Innovation News Centre.
The General Data Protection Regulation (GDPR) that comes into force across the EU in May 2018 will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.
There are lot of new terms also introduced with the GDPR and each has its own definition. For example, data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
Whilst under the current law there are no obligations on data processors to notify data breaches, the GDPR is specific on laying out when firms must notify their relevant supervisory authority, when individuals must be notified and in what time period these notifications have to be made.
Failure to follow these rules is considered to constitute a non-compliance with the GDPR and leave a business or organisation open to relevant fines being imposed.
You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly and here the GDPR specifies what kind of information regarding the breach must be reported.
Any personal data identifiers – say, email addresses, online account IDs, and possibly IP addresses — could easily pass the likely-to-affect test.
GDPR Data Breach
A notifiable breach must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it
In addition, if the breached personal data contains more monetisable personal data – bank account numbers or other financial identifiers— then you can say the breach is ‘likely to harm’ the individual. In this situation, both the consumer and the supervisory authority will have to be notified.
The timescale for reporting a breach is important. A notifiable breach must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows firms to provide information in phases.
If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.
And here is where the GDPR begins to bite, failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover.
Therefore, firms must seriously consider having in place a process for reporting breaches that all staff understand. Staff must know what constitutes a data breach and that this is more that a loss of personal data.
Staff processes must be designed to facilitate decision making about whether to notify the relevant supervisory authority or the public.
Clearly, this tight timescale for reporting breaches will be challenging for many organisations and past experiences of breaches that have not even been noticed for a number of weeks mean that robust breach detection, investigation and internal reporting procedures must be in place.
Failure to detect a breach and report it within 72 hours results in a firm having to provide a ‘reasoned justification’ for the delay to the relevant authority and overall these new provisions clearly place administrative burdens on organisations.