On 14th of April 2016, the EU adopted the General Data Protection Regulation GDPR, replacing the1995 Data Protection Directive. The new regulation came into force on the 25th of May 2018, giving companies a two-year grace period to fully comply. Among the numerous critical requirements, the need…
Data breaches in the context of GDPR
Data breaches are not a new notion, they have been around ever since companies started keeping records. However, their nature changed and they gained public attention with the apparition of digital data.
The evolution of Data Breaches
Publicly-disclosed data breaches increased in frequency in the 1980s. In the 1990s and early 2000s, public awareness of the potential for data breaches began to rise. In the last years, the increase in the number of data breaches had a rising trend, as seen in the chart below.
According to the Ponemon Institute, the odds of a recurring data breach for an organization is nearly one in four. Comparatively, the odds of dying in a car accident in the next year is about one in nine thousand. Undeniably, these numbers prove that having to deal with a data breach is a brutally real possibility.
Considering the cost of dealing with a data breach (in average $3.62 million, according to the Ponemon Institute annual study 2017) and the threats it can pose for the people affected by it, certain regulations regarding data protection were formulated and adopted over the years. The latest one is the European Union’s General Data Protection Regulations (GDPR).
Prevention of data breaches in the GDPR context
The actions imposed by GDPR should provide a very high-security level for the data concerning EU residents. Therefore, the EU treats data breaches and noncompliance very seriously. In case of noncompliance, they apply two levels of fines :
- 10 million Euros or 2% of the global gross revenue, whichever is higher
- 20 million Euros or 4% of your global gross revenue, whichever is higher; if the breach contains sensitive or large amounts of personal data.
Section 2 of the GDPR offers guidelines on how controllers and processors should prevent a breach. Additionally, it gives details on the notification process of the breach, in case one still occurs.
Some of the recommended steps for prevention are: “the pseudonymisation and encryption of personal data”; the enforcement of a process for “regularly testing, assessing and evaluating the effectiveness of technical and organisational measures” and gaining the ability to “restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”.
Post data breach actions
One of the most discussed requirements of GDPR is Article 33 which dictates that, in the event of a personal data breach, data controllers must notify the appropriate supervisory authority “without undue delay and, where, feasible, not later than 72 hours after having become aware of it.” This means that the company affected by the breach must:
- carry out an investigation to assess the damage of the breach
- Who accessed the data and when did it happen?
- What type of the affected data?
- To whom did the data belong?
- How can the attacker use the data?
- What is the impact of the data breach on the subjects?
- draft a comprehensive containment plan
- notify the higher authority about the breach and in case sensitive data was leaked, also the data subjects who were affected (in no more than 72 hours); the notification must contain:
- the results of the investigation
- record of work that has been done to prevent a breach
- the estimated impact of the breach
- forensic details
- mitigation or remediation plan
If the controller doesn’t notify the breach in the provided 72-hour window, they must also provide reasonable justification for the delay.
Duty of care.
Just because a company experiences a data breach does not infer they are liable as long as they can demonstrate a duty of care when handling their data. The duty of care helps define the balance between what security measures are necessary to prevent foreseeable harm to others without posing an unreasonable burden upon the business itself. This means that a company doesn’t have to invest huge amounts of money in cybersecurity, but rather take reasonable actions towards protecting their data.
GDPR wishes to be a cultural shift, a change in our habits of working with personal data in order to minimize the effects of certain threats on EU citizens. Having a universal system of handling data breaches increases our personal data security while decreasing the damage these attacks can cause.