Articles

GDPR: Security will be everywhere (even at your local shopkeeper)

GDPR: Security will be everywhere (even at your local shopkeeper)

GDPR: Security will be everywhere (even at your local shopkeeper)

01.06.2016

Compared to the current legal framework, the GDPR contains stricter obligations with regard to data security, data breach notifications, and data subject notifications. Therefore, many companies have already started preparing compliance, given that many of these obligations will require time to implement.

This article was co-written by Valerie Vanryckeghem

Data Security

The GDPR requires both data processors  and data controllers to implement appropriate security measures on every level of data processing.

In this regard, the GDPR provides specific suggestions such as, but not limited to:

  • The pseudonymization and encryption of personal data.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures  for ensuring the security of the processing, for example, approved and tested codes of conduct, certifications, and guidelines.

In assessing the appropriate level of security, data controllers and data processors are required to take into account the risks that  are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

In particular, the risk would be higher for large-scale processing operations involving considerable amounts of personal data because a data breach could affect a large number of data subjects. For example, a hospital’s storing of patient files in the cloud has a higher risk than a local, independent  hairdresser’s customer loyalty program because of the large scale processing of the operation and the sensitive nature of the patient data of a hospital.

Data Breach Notification

A data breach is a security incident in which sensitive, protected, or confidential personal data is intentionally or unintentionally released to an untrusted environment or copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.

Such incidents range from concerted attacks with the backing of organized crime or national governments to careless disposal of used computer equipment or data storage media.

Under the GDPR, the data controller must notify any data breach to the supervisory authority without undue delay and, where feasible, within 72 hours as from the time the controller became aware of the breach. If this timeframe is not met, the untimely notification must be substantiated by reasons justifying the delay.

The data breach notification must contain information including, among others:

  • the nature of the personal data breach, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • a description of the likely consequences of the data breach;
  • a description of the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

There is one key exception to the notification obligation. Notification is not required if the data breach is unlikely to result in a “risk to the rights and freedoms of natural persons”. The preamble of the GDPR states that a risk to the rights and freedoms of individuals can consist of physical, material, or non-material damage such as identity theft or fraud, financial loss, discrimination, or reputational damage.

Lastly, the data controller must also maintain an internal data breach register, allowing the supervisory authority to verify compliance with the GDPR if needed.

If the data processor becomes aware of a data breach, it must notify the  data controller about it. The data processor itself has no other notification or reporting obligations.

Data Subject Notification

In certain instances, the GDPR also requires that data breaches caused to data subjects be notified. If the data controller has determined that the data breach “is likely to result in a high risk to the rights and freedoms of individuals”, it must also communicate— without undue delay—the information regarding the data breach to the data subjects affected by it.

The GDPR does not further specify the distinction between “high risk” with regard to data subject notification and “risk” with regard to data breach notification. Therefore, this phrase will surely become the subject of many discussions regarding the necessity of a data subject notification obligation.

The GDPR sets forth three exceptions whereby the data controller must not be required to notify data subjects:

  • the data controller has implemented appropriate technical and organizational protection measures that render the  data unintelligible to any person who is not authorized to access it, such as encryption;
  • the data controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialize, such as the full recovery or destruction of the leaked data, so that the data is not in the hands of a third party;
  • when notification to each data subject would involve disproportionate effort, in which case alternative communication measures may be used, such as a public information campaign.

To Do List

The practical implementation of the requirements under this section is challenging. This is not in the least because of the ambiguity of certain terms such as “undue delay”, “likelihood of/(high) risk to rights and freedoms”, and “disproportionate effort”, which remain to be further clarified and defined in practice.

Also, companies might want to prepare themselves to meet these additional requirements by:

  • developing clear policies and procedures to ensure a timely reaction to data breaches, including notification procedures, incident identification systems, and incident response plans;
  • practicing and testing such procedures on a regular basis;
  • investing in the implementation of appropriate technical and organizational measures to ensure data security.

To read more about this series of articles (and the articles that were published previously), please click here.

Team

Related news

07.12.2018 BE law
GDPR-roundtable on practical questions encountered during implementation

Roundtable - After the success of the roundtable sessions we held before the GDPR took effect (in May this year), our TMT team is enthusiastic about the session of 7 December, focusing on the lessons we have learned from working on multiple GDPR-matters in the past year. We will tackle some practical questions that we have encountered and that are not or cannot be readily answered by the new regulation.

Read more

07.12.2018 BE law
Virtual Currency Regulation Law Review

Articles - The first edition of the Virtual Currency Regulation Law Review is intended to provide a practical, business-focused analysis of recent legal and regulatory changes and developments, and of their effects, and to look forward at expected trends in the area of virtual currencies on a country-by-country basis.

Read more

20.11.2018 NL law
Seminar 'Personal data from a broader perspective: overlap inside and outside the privacy domain'

Seminar - On 20 November 2018, Stibbe will host a seminar on privacy. Several Stibbe lawyers will discuss personal data from a broader perspective and the overlap that can occur inside and outside the legal privacy domain.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring