The EU GDPR requires that you disclose any personal data breaches to your Supervisory Authority (SA) within 72 hours of detection. It is not so much a matter of simply giving the SA a heads up and going on your way, though.
1. GDPR , heads up!
Expected: May 18th 2018
4% or
€20m
2. What is it? - Definition
The EU GDPR requires that you disclose any personal data breaches to your Supervisory Authority
(SA) within 72 hours of detection. It is not so much a matter of simply giving the SA a heads up and
going on your way, though.
A Data Protection Game
Changer
Equality across all EU
Member states
Legislation with teeth! Accountability
Applies to organizations
anywhere who control or
process EU citizen data
GDPR is directly effective,
hence does not leave room
for jurisdictional
interpretation of all its rules
Data protection
commissioner are
empowered to fine
companies to a maximum
of 4% of turnover/€20
million. Individuals will also
be entitled to claim for
compensation where they
have suffered a loss
This law might require a
role of a data protection
officer, mandatory breach
reporting and documenting
compliance as to show that
individual fundamentals
rights are taken seriously.
3. When it comes to breach reporting, you need to provide the nature of the personal data breach as
follows:
II. The name and contact details of the data
protection officer – does your organization
have a data protection officer? If not, you need
to designate another point of contact that can
provide more information.
I. Categories and approximate number of
individuals concerned – who are these
users, what role do they play in your
organization (customers, business partners,
etc
III. A description of the likely consequences of
the personal data breach – What could come
of this breach? Identity theft and further
account compromise are examples here.
IV. Mitigation or remediation efforts – Describe
what has been done, or what will be done to
mitigate the personal data breach. If
necessary, what will you do to reduce the
potential impacts of this breach?
Luckily, this level of detail is not required for every breach – only personal data breaches that could
potentially violate the rights and freedoms of your users – but gathering that much information within 72
hours can be pretty daunting. Complete visibility of data and its related interactions will be paramount
when attempting to accurately report a personal data breach to the EU GDPR standard. Anticipation is
key
What is it? - Report
6. Key People/Departments that need to consider and anticipate on this law
HR Legal Marketing Finance IT
Procurement Support
7. Next steps: that need we to consider and anticipate on this law
1. Raise awareness
2. Make a plan
3. Identify critical data per department
4. Identify & assess Privacy related risks
5. Review periodically and run drills to report a breach
6. Conduct an audit
8. GDPR Myths
I. My business is an SME,
hence NOT my concern.
FALSE
II. GDPR is all about security.
FALSE
III. Fines are significant but Data
Protection officer won’t really
fine at this level, likely a
warning instead. FALSE
IV. Business is located outside
Europe, hence can’t be
affected. FALSE
V. I have loads of time to get
compliant before May 2018.
FALSE
VI. GDPR affects only data
controllers and not
processors. FALSE
9. GDPR Benefits
1. Reduce Reputational Risks 2. Reduce Financial
Risks
3. Organize Our Data 4. Build Trust
5. Reduce Chaos 6. Peace of Mind