The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95\/46\/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.<\/p>\n
Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.<\/p>\n
With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens\u2019 data to undertake major operational reform.<\/p>\n
This is the first in a series of articles addressing the top 10 operational impacts of the GDPR.<\/p>\n
GDPR Enhances Data Security and Breach Notification Standards<\/p>\n
Data security plays a prominent role in the new General Data Protection Regulation (GDPR) reflecting its symbiotic relationship with modern comprehensive privacy regimes.<\/p>\n
Compared to Directive 95\/46\/ec, the GDPR imposes stricter obligations on data processors and controllers with regard to data security while simultaneously offering more guidance on appropriate security standards. The GDPR also adopts for the first time specific breach notification guidelines.<\/p>\n
Security of data processing standards<\/p>\n
The GDRP separates responsibilities and duties of data controllers and processors, obligating controllers to engage only those processors that provide \u201csufficient guarantees to implement appropriate technical and organizational measures\u201d to meet the GDPR\u2019s requirements and protect data subjects\u2019 rights. Processors must also take all measures required by Article 32, which delineates the GDPR\u2019s \u201csecurity of processing\u201d standards.<\/p>\n
Under Article 32, similarly to the Directive\u2019s Article 17, controllers and processors are required to \u201cimplement appropriate technical and organizational measures\u201d taking into account \u201cthe state of the art and the costs of implementation\u201d and \u201cthe nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural presons.\u201d Unlike the Directive, however, the GDPR provides specific suggestions for what kinds of security actions might be considered \u201cappropriate to the risk,\u201d including:<\/p>\n
The pseudonymisation and encryption of personal data.
\nThe ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
\nThe ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
\nA process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
\nControllers and processors that adhere to either an approved code of conduct or an approved certification mechanism \u2014 as described in Article 40 and Article 42 \u2014 may use these tools to demonstrate compliance with the GDPR\u2019s security standards.<\/p>\n
For additional guidance on security standards, controllers and processors may consider the Recitals, in particular Recitals 49 and 71, which allow for processing of personal data in ways that may otherwise be improper when necessary to ensure network security and reliability.
\nIAPP_Salary-Survey_300x250_FINAL<\/p>\n
\u201cPersonal data breach\u201d notification standards<\/p>\n
Unlike the Directive, which was silent on the issue of data breach, the GDPR contains a definition of \u201cpersonal data breach,\u201d and notification requirements to both the supervisory authority and affected data subjects.<\/p>\n
\u201cPersonal data\u201d is defined in both the Directive and the GDPR as \u201cany information relating to an identified or identifiable natural person (\u201cdata subject\u201d).\u201d Under the GDPR, a \u201cpersonal data breach\u201d is \u201ca breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.\u201d This broad definition differs from that of most U.S. state data breach laws, for example, which typically are triggered only upon exposure of information that can lead to fraud or identity theft, such as financial account information.<\/p>\n
In the event of a personal data breach, data controllers must notify the supervisory authority „competent under Article 55“ which is most likely (looking to Article 56(1)) the supervisory authority of the member state where the controller has its main establishment or only establishment, although this is not entirely clear. Notice must be provided \u201cwithout undue delay and, where feasible, not later than 72 hours after having become aware of it.\u201d If notification is not made within 72 hours, the controller must provide a \u201creasoned justification\u201d for the delay.<\/p>\n
Article 33(1) contains a key exception to the supervisory authority notification requirement: Notice is not required if \u201cthe personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons,\u201d a phrase that will no doubt offer data protection officers and their outside counsel opportunities to debate the necessity of notification.<\/p>\n
A notification to the authority must \u201cat least\u201d: (1) describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected; (2) provide the data protection officer\u2019s contact information; (3) \u201cdescribe the likely consequences of the personal data breach\u201d; and (4) describe how the controller proposes to address the breach, including any mitigation efforts. If not all information is available at once, it may be provided in phases.<\/p>\n
When a data processor experiences a personal data breach, it must notify the controller but otherwise has no other notification or reporting obligation under the GDPR.<\/p>\n
If the controller has determined that the personal data breach \u201cis likely to result in a high risk to the rights and freedoms of individuals,\u201d it must also communicate information regarding the personal data breach to the affected data subjects. Under Article 34, this must be done \u201cwithout undue delay.\u201d<\/p>\n
The GDPR provides exceptions to this additional requirement to notify data subjects in the following circumstances: (1) the controller has \u201cimplemented appropriate technical and organizational protection measures\u201d that \u201crender the data unintelligible to any person who is not authorized to access it, such as encryption\u201d; (2) the controller takes actions subsequent to the personal data breach to \u201censure that the high risk for the rights and freedoms of data subjects\u201d is unlikely to materialize; or (3) when notification to each data subject would \u201cinvolve disproportionate effort,\u201d in which case alternative communication measures may be used.<\/p>\n
Assuming the controller has notified the appropriate supervisory authority of a personal data breach, its discretion to notify data subjects is limited by the DPA\u2019s ability, under Article 34(4), to require notification or conversely to determine it is unnecessary under the circumstances.<\/p>\n
Harmonization<\/p>\n
Data breach notification is possibly most firmly established globally in the U.S. There, \u201creasonable\u201d security standards are still being defined and nearly every U.S. state has a different breach notification law, which has led to some consternation among privacy professionals. The GDPR\u2019s uniform application across EU member states should at least provide predictability and thus efficiencies to controllers and processors seeking to establish compliant data security regimes and breach notification procedures across the entirety of the 28 member states. Nonetheless, the GDPR’s reference to a „competent supervisory authority“ suggests notification may need to be made to more than one supervisory authority depending on the circumstances, and the ambiguity of a number of terms such as „undue delay,“ likelihood of risk to rights and freedoms,“ and „disproportionate effort“ all remain to be further clarified and defined in practice.<\/p>\n","protected":false},"excerpt":{"rendered":"
The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95\/46\/ec effective May 25, 2018. The GDPR is directly applicable in each member state and…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"yst_prominent_words":[],"_links":{"self":[{"href":"https:\/\/techhub.eu\/en\/wp-json\/wp\/v2\/posts\/2630"}],"collection":[{"href":"https:\/\/techhub.eu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techhub.eu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techhub.eu\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techhub.eu\/en\/wp-json\/wp\/v2\/comments?post=2630"}],"version-history":[{"count":0,"href":"https:\/\/techhub.eu\/en\/wp-json\/wp\/v2\/posts\/2630\/revisions"}],"wp:attachment":[{"href":"https:\/\/techhub.eu\/en\/wp-json\/wp\/v2\/media?parent=2630"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techhub.eu\/en\/wp-json\/wp\/v2\/categories?post=2630"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techhub.eu\/en\/wp-json\/wp\/v2\/tags?post=2630"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/techhub.eu\/en\/wp-json\/wp\/v2\/yst_prominent_words?post=2630"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}