Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR: Data Breach Notification and Communications

1,513 views

Published on

An introduction to data breach notification and communications requirements under the EU's GDPR, and what it means for communicators and reputation managers

Published in: Business
  • Enough is a enough! Is this going to be the day you finally do something about your health? It is a lot easier than you think to be able to shed off unwanted weight. See how you can get started today with 1 minute weight loss routines! ♥♥♥ https://tinyurl.com/1minweight4u
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

GDPR: Data Breach Notification and Communications

  1. 1. CPC& GDPR: DATA BREACH NOTIFICATION & COMMUNICATIONS AN INTRODUCTION © Charlie Pownall/CPC & Associates 2017. All rights reserved January 2018
  2. 2. 2 Overview • Governs the way organisations across the EU process, store, and protect customers’ personal data – Takes effect on May 25, 2018 • Replaces national legislation, complementary to other EU legislation – NISD/Cybersecurity Directive, 2016 (for Essential Service/Digital Service Providers) – Privacy and Electronic Communications Directive, 2003 – E-Privacy Directive, 2018 (digital marketing, cookies) • Broad definition of personal data – PII: name, date of birth, gender, height, weight, telephone number, postal address, email address, passport number, social security number, driving license number, IP address, location data, cookie data, RFID tags – Sensitive or SPII: medical, genetic, biometric, race, ethnicity, political or religious beliefs, sexual preference CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  3. 3. 3 Overview (2) • Companies must set ‘reasonable’ levels of protection of personal data – Data Protection Officers – Data Protection Impact Assessments – Codes of Conduct – Anonymisation, pseudonymisation, encryption • Strengthens personal rights of EU citizens, including: – Data access – Rectification – Erasure (cf. Right to be Forgotten - pdf) – Portability – Objection – etc CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  4. 4. 4 Overview (3) • Requires organisations to notify a breach – To regulator: where it is likely to result in a risk to the rights and freedoms of individuals – To affected individuals: where it is likely to result in a high risk to their rights and freedoms • Applies to all organisations across operating in and/or collecting personal data in the EU • Tiered fines up to EUR 10m or 2% of annual turnover • Regarded as international gold standard CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  5. 5. 5 Transparency obligations Data protection-related information and communications must be: – Concise, transparent, intelligible and easily transparent – Easily accessible – Clear and in plan language – In writing or by other means – May be provided orally – Free of charge CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  6. 6. 6 Data breach notification – regulator • Mandatory notification within 72 hours of discovery of a breach – To the relevant competent supervisory authority/regulator – ‘Without undue delay’ for data processors – Reasons for any delay beyond 72 hours must be explained • If the breach poses a likely risk/high risk to the rights and freedoms of individuals – Physical, material or non-material damage – Loss of control over personal data, limitation of rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy – Other significant economic or social disadvantage to impacted individuals CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  7. 7. 7 Data breach notification (2) • ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ * • Types of personal data breaches CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Breach type Description Confidentiality Unauthorised or accidental disclosure of, or access to, personal data Availability Accidental or unauthorised loss of access to, or destruction of, personal data Integrity Unauthorised or accidental alteration of personal data * Source: GDPR Article 4(12)
  8. 8. 8 Data breach notification requirements Notification to supervisory authority should contain: • Categories and approximate number of individuals involved • Categories and approximate number of personal records involved • Name and contact details of Data Protection Officer or other contact point • Description of the likely consequences of the breach • Description of the measures taken, or proposed to be taken, to address the personal data breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  9. 9. 9 Data breach notification - exceptions • If the personal data is unintelligible and where a copy or back-up exists • Where personal data is already publicly available • If notification is considered ‘disproportionate’ to the actual or potential damage CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  10. 10. 10 Data breach notification - grey areas CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Timing • Level of risk • Loss of data availability
  11. 11. 11 Timing CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised – Scenario 1: In the case of a loss of a CD with unencrypted data it is often not possible to ascertain whether unauthorised persons gained access. Nevertheless, such a case has to be notified as there is a reasonable degree of certainty that a breach has occurred; the controller would become “aware” when it realised the CD had been lost. – Scenario 2: A third-party informs a controller that they have accidentally received the personal data of one of its customers and provides evidence of the unauthorised disclosure – Scenario 3: A controller detects that there has been a possible intrusion into its network. The controller checks its systems to establish whether personal data held on that system has been compromised and confirms this is the case – Scenario 4: A cybercriminal contacts the controller after having hacked its system in order to ask for a ransom.
  12. 12. 12 Timing (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Delayed notification – Reason for delay must be explained if not made within 72 hours – Scenario: where a controller experiences multiple, similar confidentiality breaches over a short period of time, leading to a ‘bundled notification’ • Breaches in more than one EU state – Controller should notify the relevant lead supervisory authority – Example: Facebook to notify the supervisory authority in the Republic of Ireland of breaches impacting personal data across multiple EU states • For data processors – Recommends immediate notification by processor to data controller – The controller is considered aware once the processor has become aware
  13. 13. 13 Timing (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Customer/affected individuals notification – Is required ‘in certain cases’ – ie. if special categories of personal data are disclosed online and/or where there is a high risk to rights and freedoms of the individuals impacted – The principal objective is ‘to provide specific information about steps [affected individuals] can take to protect themselves’ • Contacting individuals – Information should be communicated directly • Email, SMS, direct message, prominent website banners or notification, postal communications, print media advertisements – Press release or corporate blog post is considered inadequate – Should not accompany other information (newsletters, etc) – Should be in the relevant local language – Supervisory authority can be contacted for advice on appropriate channels and formats
  14. 14. 14 Data breach notification information Notification to affected individuals should contain at least the following information: • Description of the nature of the breach • Name and contact details of data protection officer or other contact point • Description of the likely consequences of the breach • Description of measures taken, or proposed to be taken, to address the breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  15. 15. 15 Level of risk CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Determination of level of risk to the rights and freedoms of individuals – Risk exists: identity theft or fraud, financial loss, damage to reputation, discrimination, emotional distress, etc – High risk exists: racial or ethnic data, political opinion, religion or philosophical beliefs, trade union membership, genetic data, health, sex life, criminal convictions and offences • Type of breach – eg. Confidentiality vs availability breach • Nature, sensitivity and volume of personal data – Isolated data may cause harm, but different kinds of data can be used together for data theft, fraud, etc – Data indicating customers are on holiday
  16. 16. 16 Level of risk (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Ease of identification of individuals – Ease with which individuals can be identified directly or indirectly by matching data with other information – Identification may depend on the context and type of breach • Severity of consequences to individuals – Motivation of and trust in people or organisation(s) finding and/or using the data – Likely impact over time for individuals • Special characteristics of the individual – Children and vulnerable individuals are at greater risk • Special characteristics of the data controller – eg. medical organisations
  17. 17. 17 Loss of availability CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Permanent vs temporary loss of availability – Where data has been deleted either accidentally or by an unauthorised person, or, in the example of securely encrypted data, the decryption key has been lost. In the event that the controller cannot restore access to the data, for example, from a backup, then this is regarded as a permanent loss of availability. – Significant disruption to the normal service of an organisation, for example, experiencing a power failure or denial of service attack, rendering personal data unavailable, either permanently, or temporarily. • Notification of temporary breaches – If critical medical data about (hospital) patients are unavailable, even temporarily, this could present a risk to individuals’ rights and freedoms; for example, operations may be cancelled. – Conversely, in the case of a media company’s systems being unavailable for several hours (e.g. due to a power outage), if that company is then prevented from sending newsletters to its subscribers, this is unlikely to present a risk to individuals’ rights and freedoms.
  18. 18. 18 Loss of availability (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Other impacts – Infection by ransomware (malicious software which encrypts the controller’s data until a ransom is paid) could lead to a temporary loss of availability if the data can be restored from backup. However, a network intrusion still occurred, and notification could be required if the incident is qualified as confidentiality breach (i.e. personal data is accessed by the attacker) and this presents a risk to the rights and freedoms of individuals.
  19. 19. 1. Understand GDPR scope and principles, and notification requirements, grey areas and best practices – How GDPR relates to other EU and national data protection laws and obligations – Legal updates, relevant European Commission/UK ICO GDPR working parties 2. Educate Leadership, Legal, IT, security and other stakeholders – Customer and stakeholder privacy needs and expectations – Cyber/data breach reputation trends, risks and impact – Role of communications in data breach preparation and response 3. Ensure PR/communications is formally represented on relevant company committees and teams – GDPR, Data breach, Cybersecurity, etc 19 For PR/communications teams CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  20. 20. 4. Work closely with Legal, IT and security to develop or update company cyber/data breach response plans – Assess and prioritise different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted – Develop communication plans for different types of data breach, including key messages, priority and secondary audiences, order and timing (regulators, customers, employees, investors, etc), format, channels – Consider the reputational risks of not disclosing different data breach risks, taking into account: • The risks of actual or perceived cover-up • Likely negative customer and stakeholder reaction • Possibility of regulator investigation – Ensure your response plans are comprehensive, clear, practical, and fit for purpose 20 For PR/communications teams (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  21. 21. 21 For PR/communications teams (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved 5. Test and update your plans regularly – Protocols and processes – Messaging and content – Digital/social media dialogue and feedback – Leadership and team dynamics.
  22. 22. 22 Useful resources CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Documents • General Data Protection Regulation • Article 29 Working Party - Guidelines on Data Breach Notification • Article 29 Working Party - Guidelines on Data Protection Impact Assessment • ENISA - Data Breach Severity Methodology Organisations • European Commission • UK ICO • The Law Society • CIPR • IAPP
  23. 23. 23 Further Information +44 20 3856 3599 +44 (0)7973 379 989 cp@charliepownall.com charliepownall.com © Charlie Pownall/CPC & Associates 2017. All rights reserved CPC&

×