Breach notification rules in the upcoming EU GDPR (General Data Protection Regulation) will mean data breaches are far more likely to become public, where today it is possible (although probably ill-advised) to try and sweep them under the carpet.
The EU GDPR will come into force from 25th May 2018, and although it may seem like a long time from now, companies may find they have a lot to do before then in order to comply.
If you are in the UK, there is no point in hoping that Brexit will save you either — the UK is extremely unlikely to have exited the EU by May 2018, and even if it has, most companies will still need to comply with the GDPR because they will want to continue dealing with the EU.
The GDPR updates the EU Data Protection Directive (DPD), which was created in the mid-1990’s and although it was a good start to safeguarding personal data, the fact it was a Directive rather than a Regulation led to each EU member state implementing slightly different versions of the DPD in their own laws (for example, the 1998 UK Data Protection Act 1998 is the UK’s version of the Directive). The GDPR, being a regulation, will be the same in law across the whole of the EU and in each member state.
It’s important that every business being up to speed with some of the basics of the GDPR, and here are three key facts worth highlighting:
Right to be forgotten
The GDPR improves legislation around transferring of personal data outside of the EU, implements the ‘Right To Be Forgotten’ for data subjects, updates what defines consent by users to allow companies to use their data, and introduces requirements around personal data breach notification.
Companies must also be able to provide a data subject with the data they hold about them in a “machine-readable and interoperable format” (which I suspect will often end up as a manual process involving spreadsheets). Also included are some very heavy fines for non-compliance and the requirement for ‘Data Protection by Design and Default’.
Breach notification is an important part of the GDPR, as the EU has not previously had widespread mandatory breach notification regulations. Within 72 hours of becoming aware that a breach of personal data has happened, companies must notify their supervisory authority, unless the company can show the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” If the breach is also “likely to result in a high risk to the rights and freedoms of natural persons,” then the people whose data has been breached must be notified too and given recommendations as to how they can mitigate possible repercussions of the breach (such as changing their passwords, monitoring their bank account for suspicious activity, and so on).
There may be a ‘get-out-of-jail’ card for notifying the data subjects themselves. If “appropriate technical and organisational protection measures” render the data useless when stolen, such as being encrypted or pseudonymised – then personal notification may not be needed.
There are also two levels of fine, the lower is up to €10m and 2 per cent of worldwide turnover, and the higher up to €20m and 4 per cent of worldwide turnover. Contrasting these amounts to the relatively small (but record-breaking) £400,000 fine imposed in the UK by the Information Commissioner’s Office or ICO (the UK’s supervisory authority) after a data breach at TalkTalk, you can see how serious data breaches are becoming, not only for the amount of the fines, but also for the damage it can cause to a company’s reputation and future loss of customers.