EU GDPR Data Breach Requirements: What You Need to Know

On May 25, 2018, the General Data Protection Regulation (GDPR) will go into effect across the EU. The purpose of this regulation is to harmonize Europe’s regulatory environment by creating a ‘one-stop shop’ for data protection. The GDPR applies to European companies in all sectors, but also any business that processes or collects the personal data of EU residents.

The GDPR is broad in its scope, so in this piece, we’ll focus specifically on data breach notification requirements. Here are a few key points to know about the new regulation, and what it might mean for your organization.

Companies aren’t Prepared, and the Potential Fines are Massive

The GDPR is expected to cause a difficult transition period for companies used to the requirements of the previous regulation, Data Protection Directive 95/46/EC. Gartner has predicted that, six months after the implementation of the GDPR, 50% of companies will not have achieved compliance. This level of expected noncompliance is particularly significant, considering the scope of potential fines. The largest possible sanction is a fine of 20,000,000 EUR, or up to 4% of the company’s annual worldwide turnover of the preceding financial year, whichever is greater.

Data Breaches Must be Reported Right Away

The GDPR requires companies to report any “personal data breach” to their supervisory authority within 72 hours. If a data processor—a company that processes data on behalf another company that controls the data—is breached, the data processor must notify the data controller of the breach “without undue delay”. If an adverse impact is determined to result from the breach, the individuals whose data was compromised must also be informed. There are some exceptions, such as if the data is anonymized or adequately protected via technical controls such as encryption.

It is worth noting that the GDPR has a more broad definition of a “personal data breach” than most U.S. state legislations. The GDPR considers a personal data breach to be, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Notifications Must Include Detailed Information

The GDPR requires that a breach notification to a supervisory authority must, at least:

  1. “describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  2. communicate the name and contact details of the data protection officer or another contact point where more information can be obtained;
  3. describe the likely consequences of the personal data breach;
  4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.”

These expectations for breach notifications, combined with the 72-hour turnaround time, mean that companies need to be proactive about their methods of recording and organizing the required information. There will not be enough time to put together a response plan on a case-by-case basis.

The Definitions in the GDPR Leave some Room for Interpretation

The 72-hour timeframe for breach notifications appears to set a clear deadline, but it is surrounded by vague language such as “without undue delay” and “where feasible”. These caveats leave a great deal of leeway in how a supervisory authority will interpret the regulation. Companies should do their best to understand which supervisory authority they will be primarily dealing with, and look at precedents to understand how that authority is likely to enforce the rules.

How Can D3 Security Help With GDPR Compliance?

Some of the world’s largest organizations in highly regulated industries use D3’s Incident Management Platform to help them meet their compliance obligations and avoid fines. When dealing with broad regulations like the GDPR, the best way to minimize risk is to have as much relevant data as possible ready to present. With D3, you can record, track, and deliver all the data associated with a breach in one centralized platform—getting away from inefficient spreadsheets and siloed information systems. D3’s analytics and reporting features make it easy to understand the situation and notify your supervisory authority within the tight 72-hour timeframe.

The GDPR breach notification requirements state that companies must describe their plan for mitigating the incident. Having D3’s solution in place will demonstrate a commitment to incident management, with centralized records of exactly what is being done to protect against the damage of data breaches and other security events.

Schedule a demo to learn more about how D3 can help you empower your compliance, security, and risk management programs.

Social Icon
Stan Engelbrecht

Stan is the director of D3’s cybersecurity practice and an accredited CISSP. Stan is involved throughout the product delivery and customer success lifecycle, and takes particular interest in working with customers to configure organization- and industry-tailored solutions. You can find Stan speaking about cybersecurity issues at conferences, in the media, and as the chapter president for a security special interest group.