Latest Thinking

Recent data security breaches - what if the GDPR applied?

The recent highly publicised cyber security attack on Equifax provides a jarring reminder of the prevalence of cyber security issues and the fact that it is a question of when, as opposed to if, an attack will happen.

For those of us in Europe, one question to answer in light of this and other recent attacks, is how the General Data Protection Regulation (GDPR) will affect things when it comes into force on 25 May 2018?

As a reminder, under the new rules, which will sweep away the existing EU Directive, companies can face fines of up to 4% of global turnover or €20 million, whichever is the highest, for the most serious of breaches.

Key changes and their implications under the GDPR include:

  • New mandatory breach notification obligations: the GDPR places a new obligation on organisations to report data breaches to the data privacy regulator – in the UK this means the Information Commissioner’s Office (ICO) – within 72 hours ‘if feasible’ and in any event, ‘without undue delay’. Thus any organisation sitting on the information, even for good reason (e.g. working out what actually happened), will likely be in breach under the GDPR. However, the breach does not have to be notified if it does not give rise to a high risk to the individuals concerned, e.g. where their data is encrypted such that their identities cannot be ascertained. Accordingly, organisations should ensure that robust breach detection, investigation and internal reporting procedures are put in place in advance of any incident so that a timely notification can be made.

    The GDPR recognises that it may not be possible to fully investigate a breach within the stated period, and therefore allows for information to be released to the privacy regulator in phases so this should help with the notification obligations.

  • Notifying the individuals: Where the breach poses a “high risk to the rights and freedoms” of individuals (such as where there is a possibility that identity theft could ensue), the GDPR places a further obligation on organisations to notify affected individuals directly and again, “without undue delay”. This would not be required where the breach involves data that has been rendered “unintelligible”, for example through encryption, or where direct notification would involve disproportionate effort. In the latter case, a mass notification may suffice.

  • Extraterritorial reach of GDPR: Organisations outside the EU will fall under the auspices of the GDPR where they target the EU when offering goods or services (e.g. having a German language web site) or monitoring the behaviour of EU citizens, for example, through the use of cookies. This is even if they do not have any presence or use any equipment (e.g. servers) in the EU. A recent survey conducted by Vanson Bourne of more than 1,600 organisations worldwide found that 37 percent of respondents don't know whether or not their organisation needs to comply with GDPR. With the scale of non-compliance fines at stake, organisations need to start identifying whether they target European citizens, and if so to start taking steps to ensure GDPR compliance.

Preparedness: In light of all of this, organisations must ensure that they put procedures in place to detect, report and investigate a data breach, in particular by identifying the specific organisational risks attached to personal data. Further, whilst the appointment of a data protection officer will be mandatory for some organisations such as insurance companies, it may be prudent for any organisation which heavily relies on the use of personal data to appoint a data protection officer to lead and monitor data privacy compliance.

Additionally, staff will need to be periodically trained on data security issues, and systems continually updated, to ensure constant vigilance – all it takes is for a single vulnerability to go unnoticed, or for a single individual to fail to deploy a necessary patch against it. This also means having a response action plan and PR strategy in place that can be rapidly deployed in the event of a data breach.

Another lesson is that personal data should be encrypted and pseudonymised as far as possible. Pseudonymisation – a new concept recognised by the GDPR – is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information (a “key”) that is separately and securely stored. Former Equifax CEO Richard Smith admitted that the data compromised in Equifax’s customer-dispute portal was stored in plaintext and would have been easily readable by attackers. Used effectively, these encryption and pseudonymisation techniques should prevent, or at least delay, attackers from extracting meaningful information from compromised data – allowing organisations some much needed breathing room to mitigate the fallout from a security breach.

Finally, organisations should maintain active dialogue with their peers to ensure their practices are in line with industry standards.

If you would like further guidance on cyber security or GDPR please contact me.

Barry Fishley, Editor.

Legalese