On May 25, 2018, the General Data Protection Regulation (GDPR) will go into effect across the EU. The purpose of this regulation is to harmonize Europe’s regulatory environment by creating a ‘one-stop shop’ for data protection. The GDPR applies to European companies in all sectors, but also any business that processes or collects the personal data of EU residents.
The GDPR is broad in its scope, so in this piece, we’ll focus specifically on data breach notification requirements. Here are a few key points to know about the new regulation, and what it might mean for your organization.
The GDPR is expected to cause a difficult transition period for companies used to the requirements of the previous regulation, Data Protection Directive 95/46/EC. Gartner has predicted that, six months after the implementation of the GDPR, 50% of companies will not have achieved compliance. This level of expected noncompliance is particularly significant, considering the scope of potential fines. The largest possible sanction is a fine of 20,000,000 EUR, or up to 4% of the company’s annual worldwide turnover of the preceding financial year, whichever is greater.
The GDPR requires companies to report any “personal data breach” to their supervisory authority within 72 hours. If a data processor—a company that processes data on behalf another company that controls the data—is breached, the data processor must notify the data controller of the breach “without undue delay”. If an adverse impact is determined to result from the breach, the individuals whose data was compromised must also be informed. There are some exceptions, such as if the data is anonymized or adequately protected via technical controls such as encryption.
It is worth noting that the GDPR has a more broad definition of a “personal data breach” than most U.S. state legislations. The GDPR considers a personal data breach to be, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
The GDPR requires that a breach notification to a supervisory authority must, at least:
These expectations for breach notifications, combined with the 72-hour turnaround time, mean that companies need to be proactive about their methods of recording and organizing the required information. There will not be enough time to put together a response plan on a case-by-case basis.
The 72-hour timeframe for breach notifications appears to set a clear deadline, but it is surrounded by vague language such as “without undue delay” and “where feasible”. These caveats leave a great deal of leeway in how a supervisory authority will interpret the regulation. Companies should do their best to understand which supervisory authority they will be primarily dealing with, and look at precedents to understand how that authority is likely to enforce the rules.
Some of the world’s largest organizations in highly regulated industries use D3’s Incident Management Platform to help them meet their compliance obligations and avoid fines. When dealing with broad regulations like the GDPR, the best way to minimize risk is to have as much relevant data as possible ready to present. With D3, you can record, track, and deliver all the data associated with a breach in one centralized platform—getting away from inefficient spreadsheets and siloed information systems. D3’s analytics and reporting features make it easy to understand the situation and notify your supervisory authority within the tight 72-hour timeframe.
The GDPR breach notification requirements state that companies must describe their plan for mitigating the incident. Having D3’s solution in place will demonstrate a commitment to incident management, with centralized records of exactly what is being done to protect against the damage of data breaches and other security events.
Schedule a demo to learn more about how D3 can help you empower your compliance, security, and risk management programs.