Articles

GDPR: Security will be everywhere (even at your local shopkeeper)

GDPR: Security will be everywhere (even at your local shopkeeper)

GDPR: Security will be everywhere (even at your local shopkeeper)

01.06.2016

Compared to the current legal framework, the GDPR contains stricter obligations with regard to data security, data breach notifications, and data subject notifications. Therefore, many companies have already started preparing compliance, given that many of these obligations will require time to implement.

This article was co-written by Valerie Vanryckeghem

Data Security

The GDPR requires both data processors  and data controllers to implement appropriate security measures on every level of data processing.

In this regard, the GDPR provides specific suggestions such as, but not limited to:

  • The pseudonymization and encryption of personal data.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures  for ensuring the security of the processing, for example, approved and tested codes of conduct, certifications, and guidelines.

In assessing the appropriate level of security, data controllers and data processors are required to take into account the risks that  are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

In particular, the risk would be higher for large-scale processing operations involving considerable amounts of personal data because a data breach could affect a large number of data subjects. For example, a hospital’s storing of patient files in the cloud has a higher risk than a local, independent  hairdresser’s customer loyalty program because of the large scale processing of the operation and the sensitive nature of the patient data of a hospital.

Data Breach Notification

A data breach is a security incident in which sensitive, protected, or confidential personal data is intentionally or unintentionally released to an untrusted environment or copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.

Such incidents range from concerted attacks with the backing of organized crime or national governments to careless disposal of used computer equipment or data storage media.

Under the GDPR, the data controller must notify any data breach to the supervisory authority without undue delay and, where feasible, within 72 hours as from the time the controller became aware of the breach. If this timeframe is not met, the untimely notification must be substantiated by reasons justifying the delay.

The data breach notification must contain information including, among others:

  • the nature of the personal data breach, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • a description of the likely consequences of the data breach;
  • a description of the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

There is one key exception to the notification obligation. Notification is not required if the data breach is unlikely to result in a “risk to the rights and freedoms of natural persons”. The preamble of the GDPR states that a risk to the rights and freedoms of individuals can consist of physical, material, or non-material damage such as identity theft or fraud, financial loss, discrimination, or reputational damage.

Lastly, the data controller must also maintain an internal data breach register, allowing the supervisory authority to verify compliance with the GDPR if needed.

If the data processor becomes aware of a data breach, it must notify the  data controller about it. The data processor itself has no other notification or reporting obligations.

Data Subject Notification

In certain instances, the GDPR also requires that data breaches caused to data subjects be notified. If the data controller has determined that the data breach “is likely to result in a high risk to the rights and freedoms of individuals”, it must also communicate— without undue delay—the information regarding the data breach to the data subjects affected by it.

The GDPR does not further specify the distinction between “high risk” with regard to data subject notification and “risk” with regard to data breach notification. Therefore, this phrase will surely become the subject of many discussions regarding the necessity of a data subject notification obligation.

The GDPR sets forth three exceptions whereby the data controller must not be required to notify data subjects:

  • the data controller has implemented appropriate technical and organizational protection measures that render the  data unintelligible to any person who is not authorized to access it, such as encryption;
  • the data controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialize, such as the full recovery or destruction of the leaked data, so that the data is not in the hands of a third party;
  • when notification to each data subject would involve disproportionate effort, in which case alternative communication measures may be used, such as a public information campaign.

To Do List

The practical implementation of the requirements under this section is challenging. This is not in the least because of the ambiguity of certain terms such as “undue delay”, “likelihood of/(high) risk to rights and freedoms”, and “disproportionate effort”, which remain to be further clarified and defined in practice.

Also, companies might want to prepare themselves to meet these additional requirements by:

  • developing clear policies and procedures to ensure a timely reaction to data breaches, including notification procedures, incident identification systems, and incident response plans;
  • practicing and testing such procedures on a regular basis;
  • investing in the implementation of appropriate technical and organizational measures to ensure data security.

To read more about this series of articles (and the articles that were published previously), please click here.

Team

Related news

14.10.2019 NL law
Kamerdebat over digitalisering van de overheid: aandacht voor bescherming burger vereist

Short Reads - Op 24 september 2019 zijn er vier moties in stemming gebracht én aangenomen door de Tweede Kamer. De moties hebben als gemeenschappelijke deler dat ze in het teken staan van de steeds groter wordende digitalisering bij de overheid. Het achterliggende doel van de moties is dat de burger voldoende beschermd moet worden tegen deze digitalisering.

Read more

27.09.2019 NL law
Stibbe is attending the IBA's annual conference in Seoul

Conference - The annual conference of the International Bar Association (IBA) is currently taking place in Seoul. There are fourteen partners from Stibbe attending the event. Several of them have speaking slots on a wide range of legal topics and will take part in various panel discussions.

Read more

28.08.2019 NL law
Masterclass: e-signature and electronic identifiers

Masterclass - Stibbe is organising a Masterclass on 26 September 2019 in Amsterdam on the subject of e-signature and electronic identifiers. This Masterclass will cover the legal framework and focus especially on the numerous possibilities for applying the various electronic signatures in different situations. In addition, we explain the regulations governing electronic identifiers, and the mandatory European recognition they receive.

Read more

02.10.2019 EU law
Seminar: Data protection implications of (a no-deal) Brexit

Seminar - On October 25th at 9.30 am, we organize a seminar where we will discus the implications of a (no-deal) Brexit on data protection.  These issues affect all businesses interacting between UK and EEA (including EU) and which send or receive data to and from UK. We will highlight the main challenges both in the case of a hard Brexit on 31 October 2019 and in other scenarios. We will also offer guidelines to help your organisation mitigate the respective risks.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring