This is the eight blog topic about the impact of the General Data Protection Regulation (GDPR) on Consumer IAM projects. This blog is part of a series that touches on important topics for IAM experts who have an interest in the new EU regulations. This week's topic is about 'data breach communication'.
Although some EU countries have in the past introduced data breach legislations, as of 25th May 2018 the GDPR rules concerning data breaches shall come into force in all EU countries. This topic is covered in-depth in articles 33 'Notification of a personal data breach to the supervisory authority" and 34 'Communication of a personal data breach to the data subject' of the GDPR.
Under the GDPR, organisations that process personal data are subject to serious personal data breach notification legislations. Two types of organisations are distinguished:
- Data controllers are organisations that determine the purpose and means of the processing. These organisations must report serious personal data breaches directly to supervisory authorities and to the individual persons involved in the breach.
- Data processors are organisations that process data on the instructions of data controllers. These organisations need to report data breaches to the data controller.
In practice, this means that both types of organisations must have direct communication protocols in place to report data breaches.
What are the timelines involved?
For personal data breaches that are likely to result in a risk to the rights and freedoms of natural persons, the supervisory authority has to be notified not later than 72 hours after the organisation have become aware of the breach. In case it takes more than 72 hours, the notification needs to be accompanied with the valid reasons why this deadline was overrun.
Personal data breaches that are likely to result in a high risk to the rights and freedoms of natural persons have to be communicated to the persons involved without undue delay. The main objective of notification to the person involved is to provide specific information about steps they should take to protect themselves. As such, this information needs to be part of the notification itself.
A real-life data breach example
I will sketch an example of data breach communication to make it a little more tangible:
Imagine an insurance company that uses an identity & access management system to provide its clients with an overview of their personal health insurance data. On a certain day, a call comes in at the customer service department. It is a client who - after logging in to the portal - gets to see personal data from another person. The customer service employee reports this problem to the internal IT department where a check is performed on how this could have happened. It turns out that - due to a software bug - personal data of different persons are intermingled and there has indeed been unauthorised access to certain personal data. A data breach has occurred! After performing an immediate impact assessment, the IT department concludes that the personal data of 100 clients are impacted with high risks. Besides solving this problem immediately, the insurance company decides to activate its data breach communication procedure. This results in a notification message to the supervisory authority within 72 hours and the 100 impacted clients without undue delay.
What should organisations do to deal with data breaches?
In order to prevent and deal with data breaches (according to GDPR requirements), the following steps are recommended to take;
- Set up Access Policies and procedures;
- Oversee that the right technical measures are taken to prevent data breaches and to ensure that - whenever security breaches occur - data cannot be accessed. This can be done by applying data encryption techniques;
- Carefully select sub-processors to make sure they have adequate security measures in place (including encryption or pseudonymisation, back-ups etc.);
- Set up (or update) internal data breach notification procedures. Once this is in place, you should start informing and training your customer care and security departments of what a data breach is and how to handle in case they encounter one. These procedures will directly affect incident management plans or protocols and incident identification applications;
- Make sure these procedures are tested and reviewed on a regular basis;
- Make sure that sub-processors communicate their data breaches to your organisation on a proactive and instant basis and enter into a Data Processing Agreement to confirm in writing the obligations of the sub-processor;
- Set up and maintain an internal breach register. This is a legal obligation under the GDPR, but also allows your organisation to assess the impact in a timely an accurate manner.
What happens if organisations don't comply?
Most importantly, organisations must be aware that incorrectly dealing with data breaches can and will result in heavily damaged relationships with their clients. On top of that, the GDPR now adds a huge economic sanction for not complying to the requirements on data breach communication with fines up to 10,000,000 euros or up to 2% of the organisation's total annual turnover of the previous financial year (whichever is higher).
Hopefully this blog helps you on your way to dealing with data breaches the appropriate way. In the next (and last) blog, we will cover the Children's privacy under GDPR.
The GDPR in all official European languages can be found here:
In a series of 9 blogs, we will dive deeper into the specific parts of the GDPR and their effect on IAM.
- Why IAM will never be the same.
- When should consent be requested?
- Why transparency is key to building trust.
- Strict regulation of automated individual decision making.
- What is sensitive personal data?
- Privacy by Design & Data protection by Design.
- Special rights for the individual like “right to be forgotten”
- Data breach communication.
- Children's privacy under GDPR.
Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via firstname.lastname@example.org
Corné van Rooij
VP Product & Strategic Alliances at iWelcome
Corné has been working in the security market for more than 20 years of which the last 15 years at two well known Identity Management Vendors.