GDPR: Data Breach Notification and Communications

Charlie Pownall
Charlie PownallReputation & Communications Advisor, Trainer, Educator and Author
CPC& GDPR: DATA BREACH NOTIFICATION & COMMUNICATIONS AN INTRODUCTION © Charlie Pownall/CPC & Associates 2017. All rights reserved January 2018
2 Overview • Governs the way organisations across the EU process, store, and protect customers’ personal data – Takes effect on May 25, 2018 • Replaces national legislation, complementary to other EU legislation – NISD/Cybersecurity Directive, 2016 (for Essential Service/Digital Service Providers) – Privacy and Electronic Communications Directive, 2003 – E-Privacy Directive, 2018 (digital marketing, cookies) • Broad definition of personal data – PII: name, date of birth, gender, height, weight, telephone number, postal address, email address, passport number, social security number, driving license number, IP address, location data, cookie data, RFID tags – Sensitive or SPII: medical, genetic, biometric, race, ethnicity, political or religious beliefs, sexual preference CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
3 Overview (2) • Companies must set ‘reasonable’ levels of protection of personal data – Data Protection Officers – Data Protection Impact Assessments – Codes of Conduct – Anonymisation, pseudonymisation, encryption • Strengthens personal rights of EU citizens, including: – Data access – Rectification – Erasure (cf. Right to be Forgotten - pdf) – Portability – Objection – etc CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
4 Overview (3) • Requires organisations to notify a breach – To regulator: where it is likely to result in a risk to the rights and freedoms of individuals – To affected individuals: where it is likely to result in a high risk to their rights and freedoms • Applies to all organisations across operating in and/or collecting personal data in the EU • Tiered fines up to EUR 10m or 2% of annual turnover • Regarded as international gold standard CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
5 Transparency obligations Data protection-related information and communications must be: – Concise, transparent, intelligible and easily transparent – Easily accessible – Clear and in plan language – In writing or by other means – May be provided orally – Free of charge CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
6 Data breach notification – regulator • Mandatory notification within 72 hours of discovery of a breach – To the relevant competent supervisory authority/regulator – ‘Without undue delay’ for data processors – Reasons for any delay beyond 72 hours must be explained • If the breach poses a likely risk/high risk to the rights and freedoms of individuals – Physical, material or non-material damage – Loss of control over personal data, limitation of rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy – Other significant economic or social disadvantage to impacted individuals CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
7 Data breach notification (2) • ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ * • Types of personal data breaches CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Breach type Description Confidentiality Unauthorised or accidental disclosure of, or access to, personal data Availability Accidental or unauthorised loss of access to, or destruction of, personal data Integrity Unauthorised or accidental alteration of personal data * Source: GDPR Article 4(12)
8 Data breach notification requirements Notification to supervisory authority should contain: • Categories and approximate number of individuals involved • Categories and approximate number of personal records involved • Name and contact details of Data Protection Officer or other contact point • Description of the likely consequences of the breach • Description of the measures taken, or proposed to be taken, to address the personal data breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
9 Data breach notification - exceptions • If the personal data is unintelligible and where a copy or back-up exists • Where personal data is already publicly available • If notification is considered ‘disproportionate’ to the actual or potential damage CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
10 Data breach notification - grey areas CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Timing • Level of risk • Loss of data availability
11 Timing CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised – Scenario 1: In the case of a loss of a CD with unencrypted data it is often not possible to ascertain whether unauthorised persons gained access. Nevertheless, such a case has to be notified as there is a reasonable degree of certainty that a breach has occurred; the controller would become “aware” when it realised the CD had been lost. – Scenario 2: A third-party informs a controller that they have accidentally received the personal data of one of its customers and provides evidence of the unauthorised disclosure – Scenario 3: A controller detects that there has been a possible intrusion into its network. The controller checks its systems to establish whether personal data held on that system has been compromised and confirms this is the case – Scenario 4: A cybercriminal contacts the controller after having hacked its system in order to ask for a ransom.
12 Timing (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Delayed notification – Reason for delay must be explained if not made within 72 hours – Scenario: where a controller experiences multiple, similar confidentiality breaches over a short period of time, leading to a ‘bundled notification’ • Breaches in more than one EU state – Controller should notify the relevant lead supervisory authority – Example: Facebook to notify the supervisory authority in the Republic of Ireland of breaches impacting personal data across multiple EU states • For data processors – Recommends immediate notification by processor to data controller – The controller is considered aware once the processor has become aware
13 Timing (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Customer/affected individuals notification – Is required ‘in certain cases’ – ie. if special categories of personal data are disclosed online and/or where there is a high risk to rights and freedoms of the individuals impacted – The principal objective is ‘to provide specific information about steps [affected individuals] can take to protect themselves’ • Contacting individuals – Information should be communicated directly • Email, SMS, direct message, prominent website banners or notification, postal communications, print media advertisements – Press release or corporate blog post is considered inadequate – Should not accompany other information (newsletters, etc) – Should be in the relevant local language – Supervisory authority can be contacted for advice on appropriate channels and formats
14 Data breach notification information Notification to affected individuals should contain at least the following information: • Description of the nature of the breach • Name and contact details of data protection officer or other contact point • Description of the likely consequences of the breach • Description of measures taken, or proposed to be taken, to address the breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
15 Level of risk CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Determination of level of risk to the rights and freedoms of individuals – Risk exists: identity theft or fraud, financial loss, damage to reputation, discrimination, emotional distress, etc – High risk exists: racial or ethnic data, political opinion, religion or philosophical beliefs, trade union membership, genetic data, health, sex life, criminal convictions and offences • Type of breach – eg. Confidentiality vs availability breach • Nature, sensitivity and volume of personal data – Isolated data may cause harm, but different kinds of data can be used together for data theft, fraud, etc – Data indicating customers are on holiday
16 Level of risk (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Ease of identification of individuals – Ease with which individuals can be identified directly or indirectly by matching data with other information – Identification may depend on the context and type of breach • Severity of consequences to individuals – Motivation of and trust in people or organisation(s) finding and/or using the data – Likely impact over time for individuals • Special characteristics of the individual – Children and vulnerable individuals are at greater risk • Special characteristics of the data controller – eg. medical organisations
17 Loss of availability CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Permanent vs temporary loss of availability – Where data has been deleted either accidentally or by an unauthorised person, or, in the example of securely encrypted data, the decryption key has been lost. In the event that the controller cannot restore access to the data, for example, from a backup, then this is regarded as a permanent loss of availability. – Significant disruption to the normal service of an organisation, for example, experiencing a power failure or denial of service attack, rendering personal data unavailable, either permanently, or temporarily. • Notification of temporary breaches – If critical medical data about (hospital) patients are unavailable, even temporarily, this could present a risk to individuals’ rights and freedoms; for example, operations may be cancelled. – Conversely, in the case of a media company’s systems being unavailable for several hours (e.g. due to a power outage), if that company is then prevented from sending newsletters to its subscribers, this is unlikely to present a risk to individuals’ rights and freedoms.
18 Loss of availability (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Other impacts – Infection by ransomware (malicious software which encrypts the controller’s data until a ransom is paid) could lead to a temporary loss of availability if the data can be restored from backup. However, a network intrusion still occurred, and notification could be required if the incident is qualified as confidentiality breach (i.e. personal data is accessed by the attacker) and this presents a risk to the rights and freedoms of individuals.
1. Understand GDPR scope and principles, and notification requirements, grey areas and best practices – How GDPR relates to other EU and national data protection laws and obligations – Legal updates, relevant European Commission/UK ICO GDPR working parties 2. Educate Leadership, Legal, IT, security and other stakeholders – Customer and stakeholder privacy needs and expectations – Cyber/data breach reputation trends, risks and impact – Role of communications in data breach preparation and response 3. Ensure PR/communications is formally represented on relevant company committees and teams – GDPR, Data breach, Cybersecurity, etc 19 For PR/communications teams CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
4. Work closely with Legal, IT and security to develop or update company cyber/data breach response plans – Assess and prioritise different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted – Develop communication plans for different types of data breach, including key messages, priority and secondary audiences, order and timing (regulators, customers, employees, investors, etc), format, channels – Consider the reputational risks of not disclosing different data breach risks, taking into account: • The risks of actual or perceived cover-up • Likely negative customer and stakeholder reaction • Possibility of regulator investigation – Ensure your response plans are comprehensive, clear, practical, and fit for purpose 20 For PR/communications teams (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
21 For PR/communications teams (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved 5. Test and update your plans regularly – Protocols and processes – Messaging and content – Digital/social media dialogue and feedback – Leadership and team dynamics.
22 Useful resources CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Documents • General Data Protection Regulation • Article 29 Working Party - Guidelines on Data Breach Notification • Article 29 Working Party - Guidelines on Data Protection Impact Assessment • ENISA - Data Breach Severity Methodology Organisations • European Commission • UK ICO • The Law Society • CIPR • IAPP
23 Further Information +44 20 3856 3599 +44 (0)7973 379 989 cp@charliepownall.com charliepownall.com © Charlie Pownall/CPC & Associates 2017. All rights reserved CPC&
1 of 23

GDPR: Data Breach Notification and Communications

Download to read offline
Business

An introduction to data breach notification and communications requirements under the EU's GDPR, and what it means for communicators and reputation managers

Charlie Pownall
Charlie PownallReputation & Communications Advisor, Trainer, Educator and Author

Recommended

All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
521 views60 slides
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsPrivacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsAnitafin
989 views41 slides
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyLiwei Ren任力偉
3.8K views34 slides
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
541 views81 slides
Risk management and IT technologiesRisk management and IT technologies
Risk management and IT technologiesHadi Fadlallah
998 views21 slides
Data governance - An InsightData governance - An Insight
Data governance - An InsightVivek Mohan
179 views13 slides

More Related Content

What's hot

GDPR DemystifiedGDPR Demystified
GDPR DemystifiedSPIN Chennai
1.1K views47 slides

What's hot(20)

Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama5.8K views
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPR
Charlie Pownall3K views
CISSP Prep: Ch 2. Security and Risk Management I (part 2)CISSP Prep: Ch 2. Security and Risk Management I (part 2)
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
Sam Bowne2K views
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai1.1K views
DLP Data leak preventionDLP Data leak prevention
DLP Data leak prevention
Ariel Evans1.5K views
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
Quarles & Brady 469 views
Data Loss Prevention: Challenges, Impacts & Effective StrategiesData Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Seccuris Inc.3.5K views
Data Classification PresentationData Classification Presentation
Data Classification Presentation
Derroylo14.5K views
Cybersecurity in the Era of IoTCybersecurity in the Era of IoT
Cybersecurity in the Era of IoT
Amy Daly1.3K views
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R27.5K views
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Eryk Budi Pratama718 views
Training privacy by designTraining privacy by design
Training privacy by design
Tommy Vandepitte2K views
Data Loss Threats and MitigationsData Loss Threats and Mitigations
Data Loss Threats and Mitigations
April Mardock CISSP976 views
03 cia03 cia
03 cia
Jadavsejal381 views
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
Eryk Budi Pratama1.4K views
Data loss prevention (dlp)Data loss prevention (dlp)
Data loss prevention (dlp)
Hussein Al-Sanabani9.8K views
Data Management is Data GovernanceData Management is Data Governance
Data Management is Data Governance
DATAVERSITY767 views
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software4.4K views
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
CMR WORLD TECH1.9K views
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert4.1K views

Similar to GDPR: Data Breach Notification and Communications

Similar to GDPR: Data Breach Notification and Communications(20)

GDPR Is Coming – Are Emailers Ready?GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?
MediaPost772 views
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise102 views
Introduction to EU General Data Protection Regulation: Planning, Implementat... Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Financial Poise19 views
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
Dione McBride, CISSP, CIPP/E211 views
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
The Pathway Group57 views
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group204 views
EU Data Protection Legislation, Peter Ridley (HPE)EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)
Napier University1.1K views
Data protection and data integrity Data protection and data integrity
Data protection and data integrity
Axon Lawyers592 views
Webinar: An EU regulation affecting companies worldwide - GDPRWebinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPR
panagenda214 views
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Lisa Abe-Oldenburg, B.Comm., JD.323 views
New Data Breach Regime, Privacy & ConfidentialityNew Data Breach Regime, Privacy & Confidentiality
New Data Breach Regime, Privacy & Confidentiality
Coleman Greig Lawyers71 views
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension Inc.188 views
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
Donald E. Hester449 views
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
SecurityScorecard216 views
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
Cobweb4.8K views
POPI Seminar FINALPOPI Seminar FINAL
POPI Seminar FINAL
Imraan Kharwa539 views
Engage 2018: GDPR Three Days To GoEngage 2018: GDPR Three Days To Go
Engage 2018: GDPR Three Days To Go
panagenda3.1K views
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
Now Dentons608 views
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About Privacy
Now Dentons722 views
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
PECB 1K views

More from Charlie Pownall

Transparent AITransparent AI
Transparent AICharlie Pownall
1.2K views13 slides

More from Charlie Pownall(20)

Transparent AITransparent AI
Transparent AI
Charlie Pownall1.2K views
TalkTalk Data Breach Case StudyTalkTalk Data Breach Case Study
TalkTalk Data Breach Case Study
Charlie Pownall3.7K views
Maersk Notpetya Crisis Response Case StudyMaersk Notpetya Crisis Response Case Study
Maersk Notpetya Crisis Response Case Study
Charlie Pownall11.8K views
Risky Business: The Whys and Hows of Effective Reputational Risk ManagementRisky Business: The Whys and Hows of Effective Reputational Risk Management
Risky Business: The Whys and Hows of Effective Reputational Risk Management
Charlie Pownall2.3K views
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital AgePlans Are Useless - Preparing for & Responding to a Crisis in the Digital Age
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital Age
Charlie Pownall1.4K views
Boxing Clever: How to Safeguard your Company's Reputation OnlineBoxing Clever: How to Safeguard your Company's Reputation Online
Boxing Clever: How to Safeguard your Company's Reputation Online
Charlie Pownall1.7K views
Building Trust and a Healthy Reputation from the Get-goBuilding Trust and a Healthy Reputation from the Get-go
Building Trust and a Healthy Reputation from the Get-go
Charlie Pownall20.5K views
An Introduction to The New Crisis CommunicationsAn Introduction to The New Crisis Communications
An Introduction to The New Crisis Communications
Charlie Pownall15.7K views
Managing Online Reputation. How to Protect Your Company on Social MediaManaging Online Reputation. How to Protect Your Company on Social Media
Managing Online Reputation. How to Protect Your Company on Social Media
Charlie Pownall3.4K views
No Time to Think. How to Respond to Negative Situations Using Social MediaNo Time to Think. How to Respond to Negative Situations Using Social Media
No Time to Think. How to Respond to Negative Situations Using Social Media
Charlie Pownall2.5K views
Issues Management In The Digital AgeIssues Management In The Digital Age
Issues Management In The Digital Age
Charlie Pownall1.7K views
Social Media for Crisis CommunicationsSocial Media for Crisis Communications
Social Media for Crisis Communications
Charlie Pownall3.3K views
Online Community Engagement For GovernmentOnline Community Engagement For Government
Online Community Engagement For Government
Charlie Pownall1.7K views
How To Develop Social Media StrategyHow To Develop Social Media Strategy
How To Develop Social Media Strategy
Charlie Pownall2.2K views
Safeguarding Corporate Reputation In Social MediaSafeguarding Corporate Reputation In Social Media
Safeguarding Corporate Reputation In Social Media
Charlie Pownall2K views
Top Social Media #Fails in Asia - 2013Top Social Media #Fails in Asia - 2013
Top Social Media #Fails in Asia - 2013
Charlie Pownall3.4K views
Social Media for Thought LeadershipSocial Media for Thought Leadership
Social Media for Thought Leadership
Charlie Pownall21.2K views
How to Minimise Social Media Marketing RisksHow to Minimise Social Media Marketing Risks
How to Minimise Social Media Marketing Risks
Charlie Pownall1.9K views
Digital Influence: Communications Nirvana?Digital Influence: Communications Nirvana?
Digital Influence: Communications Nirvana?
Charlie Pownall1.9K views
Social Engagement. 15 Tips From The TrenchesSocial Engagement. 15 Tips From The Trenches
Social Engagement. 15 Tips From The Trenches
Charlie Pownall580 views

Recently uploaded

Recently uploaded(20)

Coomes Consulting Business ProfileCoomes Consulting Business Profile
Coomes Consulting Business Profile
Chris Coomes35 views
Greece opens countless opportunities for techiesGreece opens countless opportunities for techies
Greece opens countless opportunities for techies
Abhinav Immigration Services Pvt. Ltd.16 views
TNR Gold Investor Presentation - Building The Green Energy Metals Royalty and...TNR Gold Investor Presentation - Building The Green Energy Metals Royalty and...
TNR Gold Investor Presentation - Building The Green Energy Metals Royalty and...
Kirill Klip71 views
Episode 258 Snippets: Rob Gevertz of First Five YardsEpisode 258 Snippets: Rob Gevertz of First Five Yards
Episode 258 Snippets: Rob Gevertz of First Five Yards
Neil Horowitz33 views
202311017_UKRAINE_FACT_SHEET_PDA_51.pdf202311017_UKRAINE_FACT_SHEET_PDA_51.pdf
202311017_UKRAINE_FACT_SHEET_PDA_51.pdf
Rbc Rbcua3.1K views
Skilled Landscape ContractorSkilled Landscape Contractor
Skilled Landscape Contractor
EmmanuelRyker18 views
How to get your business featured on Forbes - Business Show 23How to get your business featured on Forbes - Business Show 23
How to get your business featured on Forbes - Business Show 23
Quibble22 views
valuation firm.valuation firm.
valuation firm.
NandniDhyani10 views
NewBase 20 November 2023 Energy News issue - 1675 by Khaled Al Awadi_compre...NewBase 20 November 2023 Energy News issue - 1675 by Khaled Al Awadi_compre...
NewBase 20 November 2023 Energy News issue - 1675 by Khaled Al Awadi_compre...
Khaled Al Awadi21 views
Personal Brand Exploration - Gray LeePersonal Brand Exploration - Gray Lee
Personal Brand Exploration - Gray Lee
grayl345 views
Aircon Clinic Singapore Aircon Clinic Singapore
Aircon Clinic Singapore
manuaggarwal2515 views
Motorcycle - Scooter license plate holder.pdfMotorcycle - Scooter license plate holder.pdf
Motorcycle - Scooter license plate holder.pdf
JAWADIQBAL40177 views
Forex secret Forex secret
Forex secret
konghatatih13 views
Voice Broadcasting - A Web Based Voice PromotionVoice Broadcasting - A Web Based Voice Promotion
Voice Broadcasting - A Web Based Voice Promotion
Nirmal Sharma18 views
ANTHROPOIDS WHITE PAPER.pdfANTHROPOIDS WHITE PAPER.pdf
ANTHROPOIDS WHITE PAPER.pdf
Anthropoids Nfts 36 views
23BBA10204-ASHNISH KUMAR.pdf23BBA10204-ASHNISH KUMAR.pdf
23BBA10204-ASHNISH KUMAR.pdf
shreyajha73121 views
RESIDENTIAL CARPENTRY SERVICES – COLOR RENOVATION INCRESIDENTIAL CARPENTRY SERVICES – COLOR RENOVATION INC
RESIDENTIAL CARPENTRY SERVICES – COLOR RENOVATION INC
colorrenovation17 views
Ceramic Grinding Roller.pdfCeramic Grinding Roller.pdf
Ceramic Grinding Roller.pdf
TomasChien218 views
terms_2.pdfterms_2.pdf
terms_2.pdf
JAWADIQBAL4013 views
PROGRAMME.pdfPROGRAMME.pdf
PROGRAMME.pdf
HiNedHaJar65 views

GDPR: Data Breach Notification and Communications

  • 1. CPC& GDPR: DATA BREACH NOTIFICATION & COMMUNICATIONS AN INTRODUCTION © Charlie Pownall/CPC & Associates 2017. All rights reserved January 2018
  • 2. 2 Overview • Governs the way organisations across the EU process, store, and protect customers’ personal data – Takes effect on May 25, 2018 • Replaces national legislation, complementary to other EU legislation – NISD/Cybersecurity Directive, 2016 (for Essential Service/Digital Service Providers) – Privacy and Electronic Communications Directive, 2003 – E-Privacy Directive, 2018 (digital marketing, cookies) • Broad definition of personal data – PII: name, date of birth, gender, height, weight, telephone number, postal address, email address, passport number, social security number, driving license number, IP address, location data, cookie data, RFID tags – Sensitive or SPII: medical, genetic, biometric, race, ethnicity, political or religious beliefs, sexual preference CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 3. 3 Overview (2) • Companies must set ‘reasonable’ levels of protection of personal data – Data Protection Officers – Data Protection Impact Assessments – Codes of Conduct – Anonymisation, pseudonymisation, encryption • Strengthens personal rights of EU citizens, including: – Data access – Rectification – Erasure (cf. Right to be Forgotten - pdf) – Portability – Objection – etc CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 4. 4 Overview (3) • Requires organisations to notify a breach – To regulator: where it is likely to result in a risk to the rights and freedoms of individuals – To affected individuals: where it is likely to result in a high risk to their rights and freedoms • Applies to all organisations across operating in and/or collecting personal data in the EU • Tiered fines up to EUR 10m or 2% of annual turnover • Regarded as international gold standard CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 5. 5 Transparency obligations Data protection-related information and communications must be: – Concise, transparent, intelligible and easily transparent – Easily accessible – Clear and in plan language – In writing or by other means – May be provided orally – Free of charge CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 6. 6 Data breach notification – regulator • Mandatory notification within 72 hours of discovery of a breach – To the relevant competent supervisory authority/regulator – ‘Without undue delay’ for data processors – Reasons for any delay beyond 72 hours must be explained • If the breach poses a likely risk/high risk to the rights and freedoms of individuals – Physical, material or non-material damage – Loss of control over personal data, limitation of rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy – Other significant economic or social disadvantage to impacted individuals CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 7. 7 Data breach notification (2) • ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ * • Types of personal data breaches CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Breach type Description Confidentiality Unauthorised or accidental disclosure of, or access to, personal data Availability Accidental or unauthorised loss of access to, or destruction of, personal data Integrity Unauthorised or accidental alteration of personal data * Source: GDPR Article 4(12)
  • 8. 8 Data breach notification requirements Notification to supervisory authority should contain: • Categories and approximate number of individuals involved • Categories and approximate number of personal records involved • Name and contact details of Data Protection Officer or other contact point • Description of the likely consequences of the breach • Description of the measures taken, or proposed to be taken, to address the personal data breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 9. 9 Data breach notification - exceptions • If the personal data is unintelligible and where a copy or back-up exists • Where personal data is already publicly available • If notification is considered ‘disproportionate’ to the actual or potential damage CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 10. 10 Data breach notification - grey areas CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Timing • Level of risk • Loss of data availability
  • 11. 11 Timing CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised – Scenario 1: In the case of a loss of a CD with unencrypted data it is often not possible to ascertain whether unauthorised persons gained access. Nevertheless, such a case has to be notified as there is a reasonable degree of certainty that a breach has occurred; the controller would become “aware” when it realised the CD had been lost. – Scenario 2: A third-party informs a controller that they have accidentally received the personal data of one of its customers and provides evidence of the unauthorised disclosure – Scenario 3: A controller detects that there has been a possible intrusion into its network. The controller checks its systems to establish whether personal data held on that system has been compromised and confirms this is the case – Scenario 4: A cybercriminal contacts the controller after having hacked its system in order to ask for a ransom.
  • 12. 12 Timing (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Delayed notification – Reason for delay must be explained if not made within 72 hours – Scenario: where a controller experiences multiple, similar confidentiality breaches over a short period of time, leading to a ‘bundled notification’ • Breaches in more than one EU state – Controller should notify the relevant lead supervisory authority – Example: Facebook to notify the supervisory authority in the Republic of Ireland of breaches impacting personal data across multiple EU states • For data processors – Recommends immediate notification by processor to data controller – The controller is considered aware once the processor has become aware
  • 13. 13 Timing (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Customer/affected individuals notification – Is required ‘in certain cases’ – ie. if special categories of personal data are disclosed online and/or where there is a high risk to rights and freedoms of the individuals impacted – The principal objective is ‘to provide specific information about steps [affected individuals] can take to protect themselves’ • Contacting individuals – Information should be communicated directly • Email, SMS, direct message, prominent website banners or notification, postal communications, print media advertisements – Press release or corporate blog post is considered inadequate – Should not accompany other information (newsletters, etc) – Should be in the relevant local language – Supervisory authority can be contacted for advice on appropriate channels and formats
  • 14. 14 Data breach notification information Notification to affected individuals should contain at least the following information: • Description of the nature of the breach • Name and contact details of data protection officer or other contact point • Description of the likely consequences of the breach • Description of measures taken, or proposed to be taken, to address the breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 15. 15 Level of risk CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Determination of level of risk to the rights and freedoms of individuals – Risk exists: identity theft or fraud, financial loss, damage to reputation, discrimination, emotional distress, etc – High risk exists: racial or ethnic data, political opinion, religion or philosophical beliefs, trade union membership, genetic data, health, sex life, criminal convictions and offences • Type of breach – eg. Confidentiality vs availability breach • Nature, sensitivity and volume of personal data – Isolated data may cause harm, but different kinds of data can be used together for data theft, fraud, etc – Data indicating customers are on holiday
  • 16. 16 Level of risk (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Ease of identification of individuals – Ease with which individuals can be identified directly or indirectly by matching data with other information – Identification may depend on the context and type of breach • Severity of consequences to individuals – Motivation of and trust in people or organisation(s) finding and/or using the data – Likely impact over time for individuals • Special characteristics of the individual – Children and vulnerable individuals are at greater risk • Special characteristics of the data controller – eg. medical organisations
  • 17. 17 Loss of availability CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Permanent vs temporary loss of availability – Where data has been deleted either accidentally or by an unauthorised person, or, in the example of securely encrypted data, the decryption key has been lost. In the event that the controller cannot restore access to the data, for example, from a backup, then this is regarded as a permanent loss of availability. – Significant disruption to the normal service of an organisation, for example, experiencing a power failure or denial of service attack, rendering personal data unavailable, either permanently, or temporarily. • Notification of temporary breaches – If critical medical data about (hospital) patients are unavailable, even temporarily, this could present a risk to individuals’ rights and freedoms; for example, operations may be cancelled. – Conversely, in the case of a media company’s systems being unavailable for several hours (e.g. due to a power outage), if that company is then prevented from sending newsletters to its subscribers, this is unlikely to present a risk to individuals’ rights and freedoms.
  • 18. 18 Loss of availability (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Other impacts – Infection by ransomware (malicious software which encrypts the controller’s data until a ransom is paid) could lead to a temporary loss of availability if the data can be restored from backup. However, a network intrusion still occurred, and notification could be required if the incident is qualified as confidentiality breach (i.e. personal data is accessed by the attacker) and this presents a risk to the rights and freedoms of individuals.
  • 19. 1. Understand GDPR scope and principles, and notification requirements, grey areas and best practices – How GDPR relates to other EU and national data protection laws and obligations – Legal updates, relevant European Commission/UK ICO GDPR working parties 2. Educate Leadership, Legal, IT, security and other stakeholders – Customer and stakeholder privacy needs and expectations – Cyber/data breach reputation trends, risks and impact – Role of communications in data breach preparation and response 3. Ensure PR/communications is formally represented on relevant company committees and teams – GDPR, Data breach, Cybersecurity, etc 19 For PR/communications teams CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 20. 4. Work closely with Legal, IT and security to develop or update company cyber/data breach response plans – Assess and prioritise different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted – Develop communication plans for different types of data breach, including key messages, priority and secondary audiences, order and timing (regulators, customers, employees, investors, etc), format, channels – Consider the reputational risks of not disclosing different data breach risks, taking into account: • The risks of actual or perceived cover-up • Likely negative customer and stakeholder reaction • Possibility of regulator investigation – Ensure your response plans are comprehensive, clear, practical, and fit for purpose 20 For PR/communications teams (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 21. 21 For PR/communications teams (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved 5. Test and update your plans regularly – Protocols and processes – Messaging and content – Digital/social media dialogue and feedback – Leadership and team dynamics.
  • 22. 22 Useful resources CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Documents • General Data Protection Regulation • Article 29 Working Party - Guidelines on Data Breach Notification • Article 29 Working Party - Guidelines on Data Protection Impact Assessment • ENISA - Data Breach Severity Methodology Organisations • European Commission • UK ICO • The Law Society • CIPR • IAPP
  • 23. 23 Further Information +44 20 3856 3599 +44 (0)7973 379 989 cp@charliepownall.com charliepownall.com © Charlie Pownall/CPC & Associates 2017. All rights reserved CPC&