Data Breach Notification & the GDPR

Written by Niamh Elisabeth McShane | 3 min read
Published on: May 11, 2018 - Last modified: November 13th, 2020
Data breach notification and the GDPR

From 25 May 2018, the EU General Data Protection Regulation (GDPR) will fundamentally alter the way companies handle, source, and distribute data collected from partners or clients residing in the European Union. To mark this change, the Signavio blog will focus on the GDPR throughout May, with a range of posts covering different aspects of the GDPR. This post is the third in our series, and provides some detail on what to do in the event of a data breach.

For many organizations, having a compliance breach notification procedure in place is a legal requirement, ensuring that in the case of a serious personal data breach, the correct actions are executed in accordance with legal guidelines. The consequences of delayed or ineffective reactions to data breaches can be dire, as seen in the Equifax scandal in which 143 million US citizens had their most sensitive data exposed, as well as the more recent issues with Cambridge Analytica harvesting user data using third-party applications. The haphazard and tardy responses by the companies involved have resulted in legal action, testimony before law-makers, and a spate of resignations and closing businesses, not to mention the irrevocable reputational and customer trust damage.

Data Breach Notification and the GDPR

The updates to the GDPR make explicit reference to “personal data breaches,” as well as to notification requirements to both the supervisory authority and affected data subjects. So what defines personal data? According to the GDPR, although this is quite similar to existing legislative definitions, personal data can be defined as “any information relating to an identified or identifiable natural person (“data subject”).” This means that under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Avoiding Penalties

The GDPR explicitly states that in the event of a personal data breach, data controllers must notify the relevant supervisory authority. If the controller has determined that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” it must also communicate information regarding the personal data breach to the affected data subjects “without undue delay.” As of May 25 2018, data breaches will result in higher penalties than previously mandated—up to 4% of annual global turnover or €20 million, whichever is greater—so ensuring that your organization has the adequate measures in place to ensure timely notification of both the supervisory authority as well as the data subject is crucial.

Decision models and workflow automation

Waiting until your organization must react to a personal data or security breach before you figure out what the process for dealing with it should be is categorically leaving it too late. In fact, it may make a bad situation a whole lot worse. This is why you must model your breach response process.

First of all it is important to define and document whether or not the security breach experienced is in fact a data breach. A decision model in which the employee is prompted to consider whether or not personal data has been compromised, and whether or not one can reasonably exclude or assume that personal data has been processed unlawfully will ensure that there is no room for doubt, and provide guidance on how to proceed. Decision models will also help to clear up more abstract compliance related risk queries, providing rules which answer questions such as, “If an employee left their laptop on a train, do I have to notify my country’s Data Protection Authority?”.

In addition, an automated workflow will aid you in deciding whether or not you have to notify the Data Protection Authority (DPA), and if you have to additionally notify the data subjects; meaning your customer whose data was compromised. Ensuring that the whole process is automated removes the margin for non-compliant behavior and makes certain that audit requirements are taken seriously, including logging what incidents should be reported and when, who handled them, and how.

The 72 hour deadline means that responsibility for notification may often need to be delegated, particularly in a large organization. In some situations, company boards may have to sign off on this delegation, as there may not be time for the Data Protection Officer to present to the board in case of a breach.This means that not only do you remove the margin for non-compliant behavior, but you accelerate the notification decision process to reduce the risk of failing to meet the 72 hour deadline. This is critically important, because if you don’t notify the Data Protection Authority within 72 hours of discovering a breach, you can be liable for a fine of at least €10 million.

Next steps

The changes to the GDPR are certainly creating a lot of waves, but their implementation into your organization’s existing structures need not be complicated. If you want to find out more about establishing a roadmap for adopting breach notification procedures at your organization, or about how to model the decision rules and business processes required, why not let our experts show you how? Or, if you're ready to tackle this yourself, sign up for a free 30-day trial with Signavio today.

Published on: May 11, 2018 - Last modified: November 13th, 2020