GDPR Data Breach Notification Requirements
The European Union’s General Data Protection Regulation, or GDPR, went into effect on May 25, 2018. These regulations apply to companies doing business in the European Union or to companies who have data of EU citizens for any reason, demanding compliance with stringent, uniform data regulations. GDPR creates a brand new framework with high expectations for the companies that it impacts. For many companies, compliance with GDPR is daunting. Tanya Forsheit, Chair of the Privacy & Data Security Group at top law firm Frankfurt Kurnit Klein + Selz, a privacy and cybersecurity attorney with over 20 years of experience advising on these issues, says, “GDPR is completely different than anything we have in the US. There is really no comparison in the US to the GDPR.”
Forsheit elaborates: “GDPR requires companies who are subject to it to have very robust that allow individuals, consumers, employers to certain rights to access their data, to see their data, where it goes and how it is used.” In many ways, GDPR was a wake-up call to companies--and in order to comply, the companies had to take a hard look at their data flows and processes. Additionally, Forsheit points out, “Under GDPR, you don’t do anything unless you have a lawful basis for processing the data, or consent from individuals to do certain kinds of things, requiring a legitimate interest.” (For more information on consent under GDPR, check out our article GDPR on Consent)
Data Breaches: Inevitable?
Even before GDPR, companies lived in fear of a data breach. Consumers are more sensitive to the cybersecurity of the companies that they interact with, and large companies have felt consequences--litigation, as well as a lack of trust and a decline in the public’s willingness to offer up their information of these data breaches. With the increasing prevalence of our lives online, and the value of information has increased--hackers and data breaches are a part of doing business in today’s world. In many instances, data breaches aren’t a matter of “if” anymore, it’s a matter of “when.”
In response, companies have begun to create cybersecurity action plans to streamline a response to a data breach incident. In the United States, many states have implemented legislation requiring companies to inform consumers of data breach incidents within a set timeframe upon discovery of the incident. As of now, all 50 states have a data breach notification law—Forsheit says, “US has had data breach laws since 2003, California was first, Alabama was the last” and the result is a patchwork of regulations companies must follow to remain compliant in the event of a data breach.
GDPR on Data Breach Notification: A High Standard
However, GDPR has kicked things up a notch by creating a sense of urgency with data breaches, requiring a 72 hour notice period after discovery of the breach. Data Breach notification under GDPR creates a high standard for notifying individuals of a data breach. Article 33 of GDPR states the data breach notification requirements as:
- In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
- The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
GDPR goes on to explain that the notification of the data breach to the regulating authority should include broad information about who was affected by the breach as well as approximate numbers of records concerned, and the contact information for a point of contact where the regulator can obtain more information. Additionally, the data controller should also provide the possible consequences of the data breach, as well as efforts taken by the controller to rectify the situation, including any mitigating offers to those affected by the breach. If this information is not available immediately, it should be provided in phases in a timely manner. (For a discussion of some of the terms related to GDPR, please see our article on GDPR compliance.)
In some ways, the US is prepared for the data breach notification provision under GDPR. Forsheit says, “We do have those kinds [data breach notification] obligations under state laws, so that part of it is not new, however, it is completely different under GDPR. GDPR has a 72 hour notification regulation to regulators, while in the US you must notify individuals.” Additionally, GDPR has the wrinkle of not requiring notification if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” requiring an additional level of analysis.
The Wisdom of a Cyber-Incident Plan
These factors increase the importance of a Cyber-Incident Response Plan for companies and organizations. Forsheit says that many cyber-insurance providers require an incident plan before offering coverage. With GDPR, such plans have only become more important.
A cybersecurity incident plan should start at the beginning, and outline the way that a data breach will be detected or even what constitutes a data breach. Forsheit also says a cybersecurity response plan should contain information on what to do when a breach is discovered, who to call, what vendors to contact and perhaps even have plans in place or companies on retainer for such an incident to avoid confusion and to save time. Forsheit says, “There are benefits to negotiating with vendors before you have a problem.” A bit of preparation can be helpful during a stressful situation, and having a plan in place can help eliminate mistakes. For more information on Cybersecurity response plans and their key components, check out our article Preparation and Practice: Keys to Responding to a Cyber Security Incident.