This is the eight blog topic about the impact of the General Data Protection Regulation (GDPR) on Consumer IAM projects. This blog is part of a series that touches on important topics for IAM experts who have an interest in the new EU regulations. This week’s topic is about ‘data breach communication’.
Although some EU countries have in the past introduced data breach legislations, as of 25th May 2018 the GDPR rules concerning data breaches shall come into force in all EU countries. This topic is covered in-depth in articles 33 ‘Notification of a personal data breach to the supervisory authority” and 34 ‘Communication of a personal data breach to the data subject’ of the GDPR.
Under the GDPR, organisations that process personal data are subject to serious personal data breach notification legislations. Two types of organisations are distinguished:
In practice, this means that both types of organisations must have direct communication protocols in place to report data breaches.
What are the timelines involved?
For personal data breaches that are likely to result in a risk to the rights and freedoms of natural persons, the supervisory authority has to be notified not later than 72 hours after the organisation have become aware of the breach. In case it takes more than 72 hours, the notification needs to be accompanied with the valid reasons why this deadline was overrun.
Personal data breaches that are likely to result in a high risk to the rights and freedoms of natural persons have to be communicated to the persons involved without undue delay. The main objective of notification to the person involved is to provide specific information about steps they should take to protect themselves. As such, this information needs to be part of the notification itself.
A real-life data breach example
I will sketch an example of data breach communication to make it a little more tangible:
Imagine an insurance company that uses an identity & access management system to provide its clients with an overview of their personal health insurance data. On a certain day, a call comes in at the customer service department. It is a client who – after logging in to the portal – gets to see personal data from another person. The customer service employee reports this problem to the internal IT department where a check is performed on how this could have happened. It turns out that – due to a software bug – personal data of different persons are intermingled and there has indeed been unauthorised access to certain personal data. A data breach has occurred! After performing an immediate impact assessment, the IT department concludes that the personal data of 100 clients are impacted with high risks. Besides solving this problem immediately, the insurance company decides to activate its data breach communication procedure. This results in a notification message to the supervisory authority within 72 hours and the 100 impacted clients without undue delay.
What should organisations do to deal with data breaches?
In order to prevent and deal with data breaches (according to GDPR requirements), the following steps are recommended to take;
What happens if organisations don’t comply?
Most importantly, organisations must be aware that incorrectly dealing with data breaches can and will result in heavily damaged relationships with their clients. On top of that, the GDPR now adds a huge economic sanction for not complying to the requirements on data breach communication with fines up to 10,000,000 euros or up to 2% of the organisation’s total annual turnover of the previous financial year (whichever is higher).
Hopefully this blog helps you on your way to dealing with data breaches the appropriate way. In the next (and last) blog, we will cover the Children’s privacy under GDPR.
The GDPR in all official European languages can be found here:
In a series of 9 blogs, we will dive deeper into the specific parts of the GDPR and their effect on IAM.
Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via firstname.lastname@example.org
Corné van Rooij
VP Product & Strategic Alliances at iWelcome
Corné has been working in the security market for more than 20 years of which the last 15 years at two well known Identity Management Vendors.