'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on July 24, 2021 AUTHOR - PRIVACY RESEARCH TEAM
In 2016, the GDPR passed into law, and its purpose was to award rights to individuals over their personal data through a uniform standard of protection across the EU. In this spirit, the GDPR has very strict personal data breach notification requirements with very tight deadlines.
The GDPR defines a personal data breach as a security incident leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed by an organization.
A personal data breach can be of three types:
A confidentiality breach happens when there is unauthorized or accidental disclosure of, or access to, personal data. An example of this kind of data breach can be an email with the personal data of an organization's employees, including name, address, salary, national insurance number, and date of birth, which is inadvertently sent to the wrong recipient.
An Integrity breach happens when there is an unauthorized or accidental alteration of personal data. An example of this kind of data breach can be when incorrect contact details are updated by accident or a wrong individual was contacted with details relating to another individual.
An availability breach happens when there is an unauthorized or accidental loss of, access to, or destruction of personal data. This will include both the permanent and temporary loss of personal data—for example, a cybersecurity breach in which an individual's data is accidentally deleted from the database.
A personal data breach leads to significant harm to the data subject and may result in physical, material, or non-material damage to him/her, including emotional distress.
The GDPR requires organizations to report personal data breaches to supervisory authorities and impacted data subjects. However, not every personal data breach needs notification.
Let's explore the circumstances under which a personal data breach warrants notification along with other breach notification requirements.
As per Articles 33 and 34 of the GDPR, only those personal data breaches that are likely to result in a risk to the rights and freedoms of data subjects require notification. The organization must notify all such breaches to the supervisory authority. Where the risk to the rights and freedoms of data subjects is high, organizations must also notify the impacted data subjects without undue delay.
As per Articles 33 and 34 of the GDPR, three parties are required to be notified:
Where the notification to the supervisory authority is not made within 72 hours, the notification must be accompanied by reasons for the delay. The information relating to a personal data breach may also be provided in phases to the supervisory authority if it is not possible to provide the information at the same time. However, all available information must be provided without unneeded delays.
The personal data breach notification should, in clear and plain language, consist of the following:
There are no exceptions as far as the breach notification to the regulatory authority is concerned. The notification to impacted data subjects may not be required under any of the following conditions:
Under Article 33(5) of the GDPR, data controllers must document any personal data breaches. Such documentation must consist of at least the facts relating to the breach, its effects, and the remedial actions taken. Organizations must also document the steps and actions they have taken after a security incident into one breach report even if they are not required to notify the regulatory authority or data subjects. Such breach reports will help them demonstrate compliance with the regulatory authority.
Under Article 34(4) of the GDPR, the supervisory authority may require the data controller to notify a personal data breach to data subjects if it has not done so. In that case, the supervisory authority shall take into consideration whether the personal data breach is likely to result in a high risk to data subjects.
To prevent personal data breaches, organizations must implement appropriate security controls relevant to the circumstances of data processing. Such security controls may be preventative (security measures to limit the personal data breaches) and remedial (mitigation measures to limit the impact of a personal data breach that has happened) in nature.
Organizations must consider the following factors while choosing an appropriate security control for the protection of personal data:
In addition to the considerations above, an ideal security control must have the following abilities:
Despite security controls, security incidents will inevitably take place. However, not every security incident qualifies as a personal data breach, and not every personal data breach requires notification to the regulatory authority and impacted data subjects. Therefore, every organization must have an effective and robust breach response management process. It must have a mechanism in place to determine when a security incident is considered a personal data breach when a personal data breach needs to be notified, identify areas of improvement, and implement necessary remediation measures to reduce consequences to data subjects.
Once a security incident has taken place, an organization must immediately respond to it. An effective breach response mechanism has the following steps:
The first step is to contain the security incident immediately by trying to get lost information back, disabling the breached system, canceling or changing computer access code, or trying to fix any weakness in the organization's physical or technical security. The containment of the security incident enables organizations to mitigate the risks posed to data subjects.
The second step is to determine whether the security incident qualifies as a personal data breach. The definition of a personal data breach differs from one privacy law to another, and therefore, the organization must conduct the data breach assessment relevant to its jurisdiction.
Once a personal data breach has been determined, the next step is to evaluate the severity of the potential or actual impact on data subjects as a result of the breach and the likelihood of this occurrence. This should be done by taking into consideration the nature of the harm that may be caused to data subjects, whether the breached personal data was sensitive, whether the breached personal data was protected by a security control and any other relevant factors. The data breach risk severity assessment enables organizations to determine their breach notification requirements.
After the data breach risk severity assessment is conducted, the results inform the organization whether it is required to notify the breach to a regulatory authority or impacted data subjects or both. It must fulfill its breach notification obligations within stipulated time frames to avoid any penalties and sanctions. These requirements have been discussed in detail above.
After the occurrence of every security incident and personal data breach, the organization must review and update its data breach response mechanism. It must assess the effectiveness of security controls to prevent security incidents and data breaches in the future.
Failure to notify a personal data breach as per the requirements of the GDPR may expose your organization to a regulatory fine of up to 10,000,000 euros or 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher) and other penalties.
Recent examples of fines and penalties imposed on organizations that failed to comply with privacy regulations:
As far as the imposition of fines is concerned, there have been several cases where organizations had to pay vast amounts of money for failing to comply with applicable data privacy regulations. For example:
Securiti's Data Breach Management provides a comprehensive workflow to manage the entire breach management lifecycle. It comes integrated with other product modules to provide out-of-the-box automation for various aspects of breach management.
Securiti offers an automated and integrated approach that has three components.
With a Data Breach workbench, organizations can centralize & collect all incoming breach requests on an internal privacy portal. The privacy officers can use the workbench to manage the entire lifecycle of a data breach that includes the following stages:
With Sensitive Data Intelligence, administrators can identify what data was compromised and whose data it was. Sensitive Data Intelligence provides the ability to automatically discover hundreds of sensitive data attributes stored in on-premises or cloud-based data and use People Data Graph to link the data with their owners. You can learn more about Sensitive Data Intelligence here.
A Data Breach Management program isn't complete without relevant knowledge about international laws and regulations. With Securiti's Data Breach Management module, organizations can use built-in research data to identify notification requirements, exceptions, and remediation provisions. Based on who is impacted and the nature of the data breach, the relevant information is automatically presented to incident managers.
Securiti's Data Breach Management module is an end-to-end solution for your entire incident response lifecycle.
GDPR is the benchmark for modern privacy laws. All the laws and regulations passed by more than 200 countries are based on principles laid down by the GDPR. For organizations with global operations, it is important to have a robust, reliable data breach management solution that automates processes and reduces response time. Securiti's data breach management solution has been designed for this purpose and has helped several organizations prepare for any data breach incidents.