published on by Niamh Elisabeth McShane - 3 min read

Today we’re going to go into more detail, with an example of how these changes affect your organization in practical terms. The example we are using is highly topical, not only due to its relevance to the GDPR but also as a result of its pertinence to high profile scandals. We’re talking about data breach notification procedures.

In our last blog we spoke about the 6 biggest changes to the EU General Data Protection Regulation (GDPR).

Personal Data Breach Notification Procedures

For many organizations, having a compliance breach notification procedure in place is a legal requirement, ensuring that in the case of a serious personal data breach, the correct actions are executed in accordance with legal guidelines. The consequences of delayed or ineffective reactions to data breaches can be dire, as seen in the recent Equifax scandal in which 143 million US citizens had their most sensitive data exposed. The haphazard and tardy response by the company will no doubt result in harsh legal action, and has already resulted in the resignation, effective immediately, of two C-Suite executives and now the CEO –  not to mention the irrevocable reputational and customer trust damage.

The updates to the GDPR make explicit reference to “personal data breaches,” as well as to notification requirements to both the supervisory authority and affected data subjects. So what defines personal data? According to the GDPR, although this is quite similar to existing legislative definitions, personal data can be defined as “any information relating to an identified or identifiable natural person (“data subject”).” This means that under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Avoiding Penalties

The GDPR explicitly states that in the event of a personal data breach, data controllers must notify the relevant supervisory authority. If the controller has determined that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” it must also communicate information regarding the personal data breach to the affected data subjects “without undue delay.”

As we touched on in our previous post, as of May 25 2018, data breaches will result in higher penalties than previously mandated—up to 4% of annual global turnover or €20 million, whichever is greater—so ensuring that your organization has the adequate measures in place to ensure timely notification of both the supervisory authority as well as the data subject is crucial.

Decision models and workflow automation

Waiting until your organization must react to a personal data or security breach before you figure out what the process for dealing with it should be is categorically leaving it too late, and may make a bad situation a whole lot worse. This is why you must model your breach response process.

First of all it is important to define and document whether or not the security breach experienced is in fact a data breach. A decision model in which the employee is prompted to consider whether or not personal data has been compromised, and whether or not one can reasonably exclude or assume that personal data has been processed unlawfully will ensure that there is no room for doubt, and provide guidance on how to proceed. Decision models will also help to clear up more abstract compliance related risk queries, providing rules which answer questions such as, “If an employee left their laptop on a train, do I have to notify my country’s Data Protection Authority?”.

In addition, an automated workflow will aid you in deciding whether or not you have to notify the Data Protection Authority (DPA), and if you have to additionally notify the data subjects; meaning your customer whose data was compromised. Ensuring that the whole process is automated removes the margin for noncompliant behaviour and makes certain that audit requirements for logging what incidents should be reported and when, who handled them and how, are taken seriously. The 72 hour deadline means that responsibility for notification may often need to be delegated, particularly in a large organization. In some situations, company boards may have to sign off on this delegation, as there may not be time for the Data Protection Officer to present to the board in case of a breach.This means that not only do you remove the margin for non-compliant behaviour, but you accelerate the notification decision process to reduce the risk of failing to meet the 72 hour deadline.This is critically important, because if you don’t notify the Data Protection Authority within 72 hours of discovering a breach, you can be liable for a fine of at least €10 million.

Next steps

The changes to the GDPR are certainly creating a lot of waves, but their implementation into your organization’s existing structures need not be complicated. If you want to find out more about establishing a roadmap for adopting breach notification procedures at your organization, or about how to model the decision rules and business processes required, why not let our experts show you how?