Articles

GDPR: Security will be everywhere (even at your local shopkeeper)

GDPR: Security will be everywhere (even at your local shopkeeper)

GDPR: Security will be everywhere (even at your local shopkeeper)

01.06.2016

Compared to the current legal framework, the GDPR contains stricter obligations with regard to data security, data breach notifications, and data subject notifications. Therefore, many companies have already started preparing compliance, given that many of these obligations will require time to implement.

This article was co-written by Valerie Vanryckeghem

Data Security

The GDPR requires both data processors  and data controllers to implement appropriate security measures on every level of data processing.

In this regard, the GDPR provides specific suggestions such as, but not limited to:

  • The pseudonymization and encryption of personal data.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures  for ensuring the security of the processing, for example, approved and tested codes of conduct, certifications, and guidelines.

In assessing the appropriate level of security, data controllers and data processors are required to take into account the risks that  are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

In particular, the risk would be higher for large-scale processing operations involving considerable amounts of personal data because a data breach could affect a large number of data subjects. For example, a hospital’s storing of patient files in the cloud has a higher risk than a local, independent  hairdresser’s customer loyalty program because of the large scale processing of the operation and the sensitive nature of the patient data of a hospital.

Data Breach Notification

A data breach is a security incident in which sensitive, protected, or confidential personal data is intentionally or unintentionally released to an untrusted environment or copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.

Such incidents range from concerted attacks with the backing of organized crime or national governments to careless disposal of used computer equipment or data storage media.

Under the GDPR, the data controller must notify any data breach to the supervisory authority without undue delay and, where feasible, within 72 hours as from the time the controller became aware of the breach. If this timeframe is not met, the untimely notification must be substantiated by reasons justifying the delay.

The data breach notification must contain information including, among others:

  • the nature of the personal data breach, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • a description of the likely consequences of the data breach;
  • a description of the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

There is one key exception to the notification obligation. Notification is not required if the data breach is unlikely to result in a “risk to the rights and freedoms of natural persons”. The preamble of the GDPR states that a risk to the rights and freedoms of individuals can consist of physical, material, or non-material damage such as identity theft or fraud, financial loss, discrimination, or reputational damage.

Lastly, the data controller must also maintain an internal data breach register, allowing the supervisory authority to verify compliance with the GDPR if needed.

If the data processor becomes aware of a data breach, it must notify the  data controller about it. The data processor itself has no other notification or reporting obligations.

Data Subject Notification

In certain instances, the GDPR also requires that data breaches caused to data subjects be notified. If the data controller has determined that the data breach “is likely to result in a high risk to the rights and freedoms of individuals”, it must also communicate— without undue delay—the information regarding the data breach to the data subjects affected by it.

The GDPR does not further specify the distinction between “high risk” with regard to data subject notification and “risk” with regard to data breach notification. Therefore, this phrase will surely become the subject of many discussions regarding the necessity of a data subject notification obligation.

The GDPR sets forth three exceptions whereby the data controller must not be required to notify data subjects:

  • the data controller has implemented appropriate technical and organizational protection measures that render the  data unintelligible to any person who is not authorized to access it, such as encryption;
  • the data controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialize, such as the full recovery or destruction of the leaked data, so that the data is not in the hands of a third party;
  • when notification to each data subject would involve disproportionate effort, in which case alternative communication measures may be used, such as a public information campaign.

To Do List

The practical implementation of the requirements under this section is challenging. This is not in the least because of the ambiguity of certain terms such as “undue delay”, “likelihood of/(high) risk to rights and freedoms”, and “disproportionate effort”, which remain to be further clarified and defined in practice.

Also, companies might want to prepare themselves to meet these additional requirements by:

  • developing clear policies and procedures to ensure a timely reaction to data breaches, including notification procedures, incident identification systems, and incident response plans;
  • practicing and testing such procedures on a regular basis;
  • investing in the implementation of appropriate technical and organizational measures to ensure data security.

To read more about this series of articles (and the articles that were published previously), please click here.

Team

Related news

12.03.2020 EU law
Stibbe sets up corona team

Inside Stibbe - The coronavirus (COVID-19) may have legal consequences for your business. We have set up a team of specialists who can provide insight into the legal implications of the virus.

Read more

10.03.2020 NL law
De AVG staat niet in de weg aan de verwerking van persoonsgegevens door een toezichthouder tijdens een bedrijfsbezoek

Short Reads - Bedrijven die met toezicht worden geconfronteerd, zijn gehouden op verzoek van een toezichthouder in beginsel alle informatie te verstrekken. Met de komst van de Algemene verordening gegevensbescherming (AVG) is in de praktijk de vraag opgekomen of een toezichthouder bevoegd is om persoonsgegevens die onderdeel uitmaken van de gevraagde informatie te verwerken.

Read more

18.03.2020 EU law
Stibbe: COVID-19

Short Reads - In view of the developments concerning the coronavirus, we hereby inform you of our business operations and the measures we take to ensure the continuity of our services to you.

Read more

26.02.2020 BE law
18 March 2020: Erik Valgaeren sheds a light on the legal perspectives of industrial data during a Beltug conference

Speaking slot - In this era of digitisation, data is often called the 'new gold' or 'oil'.  In our aim to gain more insights that will lead us to higher revenue, new market opportunities or new regions, we are analysing data at full throttle. But it needs to be handled with care, using a data architecture that follows your general strategy while ensuring solid security, quality, etc.

Read more

This website uses cookies. Some of these cookies are essential for the technical functioning of our website and you cannot disable these cookies if you want to read our website. We also use functional cookies to ensure the website functions properly and analytical cookies to personalise content and to analyse our traffic. You can either accept or refuse these functional and analytical cookies.

Privacy – en cookieverklaring