SlideShare a Scribd company logo

GDPR: Data Breach Notification and Communications

Download as PPTX, PDF
Charlie Pownall
Charlie Pownall

An introduction to data breach notification and communications requirements under the EU's GDPR, and what it means for communicators and reputation managers

Business
1 of 23
CPC& GDPR: DATA BREACH NOTIFICATION & COMMUNICATIONS AN INTRODUCTION © Charlie Pownall/CPC & Associates 2017. All rights reserved January 2018
2 Overview • Governs the way organisations across the EU process, store, and protect customers’ personal data – Takes effect on May 25, 2018 • Replaces national legislation, complementary to other EU legislation – NISD/Cybersecurity Directive, 2016 (for Essential Service/Digital Service Providers) – Privacy and Electronic Communications Directive, 2003 – E-Privacy Directive, 2018 (digital marketing, cookies) • Broad definition of personal data – PII: name, date of birth, gender, height, weight, telephone number, postal address, email address, passport number, social security number, driving license number, IP address, location data, cookie data, RFID tags – Sensitive or SPII: medical, genetic, biometric, race, ethnicity, political or religious beliefs, sexual preference CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
3 Overview (2) • Companies must set ‘reasonable’ levels of protection of personal data – Data Protection Officers – Data Protection Impact Assessments – Codes of Conduct – Anonymisation, pseudonymisation, encryption • Strengthens personal rights of EU citizens, including: – Data access – Rectification – Erasure (cf. Right to be Forgotten - pdf) – Portability – Objection – etc CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
4 Overview (3) • Requires organisations to notify a breach – To regulator: where it is likely to result in a risk to the rights and freedoms of individuals – To affected individuals: where it is likely to result in a high risk to their rights and freedoms • Applies to all organisations across operating in and/or collecting personal data in the EU • Tiered fines up to EUR 10m or 2% of annual turnover • Regarded as international gold standard CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
5 Transparency obligations Data protection-related information and communications must be: – Concise, transparent, intelligible and easily transparent – Easily accessible – Clear and in plan language – In writing or by other means – May be provided orally – Free of charge CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
6 Data breach notification – regulator • Mandatory notification within 72 hours of discovery of a breach – To the relevant competent supervisory authority/regulator – ‘Without undue delay’ for data processors – Reasons for any delay beyond 72 hours must be explained • If the breach poses a likely risk/high risk to the rights and freedoms of individuals – Physical, material or non-material damage – Loss of control over personal data, limitation of rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy – Other significant economic or social disadvantage to impacted individuals CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
7 Data breach notification (2) • ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ * • Types of personal data breaches CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Breach type Description Confidentiality Unauthorised or accidental disclosure of, or access to, personal data Availability Accidental or unauthorised loss of access to, or destruction of, personal data Integrity Unauthorised or accidental alteration of personal data * Source: GDPR Article 4(12)
8 Data breach notification requirements Notification to supervisory authority should contain: • Categories and approximate number of individuals involved • Categories and approximate number of personal records involved • Name and contact details of Data Protection Officer or other contact point • Description of the likely consequences of the breach • Description of the measures taken, or proposed to be taken, to address the personal data breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
9 Data breach notification - exceptions • If the personal data is unintelligible and where a copy or back-up exists • Where personal data is already publicly available • If notification is considered ‘disproportionate’ to the actual or potential damage CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
10 Data breach notification - grey areas CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Timing • Level of risk • Loss of data availability
11 Timing CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised – Scenario 1: In the case of a loss of a CD with unencrypted data it is often not possible to ascertain whether unauthorised persons gained access. Nevertheless, such a case has to be notified as there is a reasonable degree of certainty that a breach has occurred; the controller would become “aware” when it realised the CD had been lost. – Scenario 2: A third-party informs a controller that they have accidentally received the personal data of one of its customers and provides evidence of the unauthorised disclosure – Scenario 3: A controller detects that there has been a possible intrusion into its network. The controller checks its systems to establish whether personal data held on that system has been compromised and confirms this is the case – Scenario 4: A cybercriminal contacts the controller after having hacked its system in order to ask for a ransom.
12 Timing (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Delayed notification – Reason for delay must be explained if not made within 72 hours – Scenario: where a controller experiences multiple, similar confidentiality breaches over a short period of time, leading to a ‘bundled notification’ • Breaches in more than one EU state – Controller should notify the relevant lead supervisory authority – Example: Facebook to notify the supervisory authority in the Republic of Ireland of breaches impacting personal data across multiple EU states • For data processors – Recommends immediate notification by processor to data controller – The controller is considered aware once the processor has become aware
13 Timing (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Customer/affected individuals notification – Is required ‘in certain cases’ – ie. if special categories of personal data are disclosed online and/or where there is a high risk to rights and freedoms of the individuals impacted – The principal objective is ‘to provide specific information about steps [affected individuals] can take to protect themselves’ • Contacting individuals – Information should be communicated directly • Email, SMS, direct message, prominent website banners or notification, postal communications, print media advertisements – Press release or corporate blog post is considered inadequate – Should not accompany other information (newsletters, etc) – Should be in the relevant local language – Supervisory authority can be contacted for advice on appropriate channels and formats
14 Data breach notification information Notification to affected individuals should contain at least the following information: • Description of the nature of the breach • Name and contact details of data protection officer or other contact point • Description of the likely consequences of the breach • Description of measures taken, or proposed to be taken, to address the breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
15 Level of risk CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Determination of level of risk to the rights and freedoms of individuals – Risk exists: identity theft or fraud, financial loss, damage to reputation, discrimination, emotional distress, etc – High risk exists: racial or ethnic data, political opinion, religion or philosophical beliefs, trade union membership, genetic data, health, sex life, criminal convictions and offences • Type of breach – eg. Confidentiality vs availability breach • Nature, sensitivity and volume of personal data – Isolated data may cause harm, but different kinds of data can be used together for data theft, fraud, etc – Data indicating customers are on holiday
16 Level of risk (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Ease of identification of individuals – Ease with which individuals can be identified directly or indirectly by matching data with other information – Identification may depend on the context and type of breach • Severity of consequences to individuals – Motivation of and trust in people or organisation(s) finding and/or using the data – Likely impact over time for individuals • Special characteristics of the individual – Children and vulnerable individuals are at greater risk • Special characteristics of the data controller – eg. medical organisations
17 Loss of availability CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Permanent vs temporary loss of availability – Where data has been deleted either accidentally or by an unauthorised person, or, in the example of securely encrypted data, the decryption key has been lost. In the event that the controller cannot restore access to the data, for example, from a backup, then this is regarded as a permanent loss of availability. – Significant disruption to the normal service of an organisation, for example, experiencing a power failure or denial of service attack, rendering personal data unavailable, either permanently, or temporarily. • Notification of temporary breaches – If critical medical data about (hospital) patients are unavailable, even temporarily, this could present a risk to individuals’ rights and freedoms; for example, operations may be cancelled. – Conversely, in the case of a media company’s systems being unavailable for several hours (e.g. due to a power outage), if that company is then prevented from sending newsletters to its subscribers, this is unlikely to present a risk to individuals’ rights and freedoms.
18 Loss of availability (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Other impacts – Infection by ransomware (malicious software which encrypts the controller’s data until a ransom is paid) could lead to a temporary loss of availability if the data can be restored from backup. However, a network intrusion still occurred, and notification could be required if the incident is qualified as confidentiality breach (i.e. personal data is accessed by the attacker) and this presents a risk to the rights and freedoms of individuals.
1. Understand GDPR scope and principles, and notification requirements, grey areas and best practices – How GDPR relates to other EU and national data protection laws and obligations – Legal updates, relevant European Commission/UK ICO GDPR working parties 2. Educate Leadership, Legal, IT, security and other stakeholders – Customer and stakeholder privacy needs and expectations – Cyber/data breach reputation trends, risks and impact – Role of communications in data breach preparation and response 3. Ensure PR/communications is formally represented on relevant company committees and teams – GDPR, Data breach, Cybersecurity, etc 19 For PR/communications teams CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
4. Work closely with Legal, IT and security to develop or update company cyber/data breach response plans – Assess and prioritise different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted – Develop communication plans for different types of data breach, including key messages, priority and secondary audiences, order and timing (regulators, customers, employees, investors, etc), format, channels – Consider the reputational risks of not disclosing different data breach risks, taking into account: • The risks of actual or perceived cover-up • Likely negative customer and stakeholder reaction • Possibility of regulator investigation – Ensure your response plans are comprehensive, clear, practical, and fit for purpose 20 For PR/communications teams (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
21 For PR/communications teams (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved 5. Test and update your plans regularly – Protocols and processes – Messaging and content – Digital/social media dialogue and feedback – Leadership and team dynamics.
22 Useful resources CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Documents • General Data Protection Regulation • Article 29 Working Party - Guidelines on Data Breach Notification • Article 29 Working Party - Guidelines on Data Protection Impact Assessment • ENISA - Data Breach Severity Methodology Organisations • European Commission • UK ICO • The Law Society • CIPR • IAPP
23 Further Information +44 20 3856 3599 +44 (0)7973 379 989 cp@charliepownall.com charliepownall.com © Charlie Pownall/CPC & Associates 2017. All rights reserved CPC&

Recommended

Data protection
Data protectionData protection
Data protection
RaviPrashant5
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
DPIA
DPIADPIA
DPIA
Martyn Ripley
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection ActSaimaRafiq
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information Security
Jisc Scotland
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
Priyab Satoshi
 

Recommended

Data protection
Data protectionData protection
Data protection
RaviPrashant5
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
DPIA
DPIADPIA
DPIA
Martyn Ripley
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection ActSaimaRafiq
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information Security
Jisc Scotland
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
Priyab Satoshi
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
Amiit Keshav Naik
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
GDPR
GDPRGDPR
GDPR
Gopi PD
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
grahamwell
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
skillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxskillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
Vertex Holdings
 
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsPrivacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Anitafin
 
General Data Protection Regulation (GDPR) - Cross-Border Data Transfers
General Data Protection Regulation (GDPR) - Cross-Border Data TransfersGeneral Data Protection Regulation (GDPR) - Cross-Border Data Transfers
General Data Protection Regulation (GDPR) - Cross-Border Data Transfers
pi
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
Sudarsan Reddy
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Compliance
accenture
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)
Cyber Security Infotech
 
PDPA Compliance Preparation
PDPA Compliance PreparationPDPA Compliance Preparation
PDPA Compliance Preparation
LawPlus Ltd.
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
Martin Hawksey
 
GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?
MediaPost
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 

More Related Content

What's hot

GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
Amiit Keshav Naik
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
GDPR
GDPRGDPR
GDPR
Gopi PD
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
grahamwell
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
skillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxskillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
Vertex Holdings
 
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsPrivacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Anitafin
 
General Data Protection Regulation (GDPR) - Cross-Border Data Transfers
General Data Protection Regulation (GDPR) - Cross-Border Data TransfersGeneral Data Protection Regulation (GDPR) - Cross-Border Data Transfers
General Data Protection Regulation (GDPR) - Cross-Border Data Transfers
pi
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
Sudarsan Reddy
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Compliance
accenture
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)
Cyber Security Infotech
 
PDPA Compliance Preparation
PDPA Compliance PreparationPDPA Compliance Preparation
PDPA Compliance Preparation
LawPlus Ltd.
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
Martin Hawksey
 

What's hot (20)

GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
GDPR
GDPRGDPR
GDPR
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdf
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
skillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxskillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptx
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
 
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsPrivacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
 
General Data Protection Regulation (GDPR) - Cross-Border Data Transfers
General Data Protection Regulation (GDPR) - Cross-Border Data TransfersGeneral Data Protection Regulation (GDPR) - Cross-Border Data Transfers
General Data Protection Regulation (GDPR) - Cross-Border Data Transfers
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Compliance
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)
 
PDPA Compliance Preparation
PDPA Compliance PreparationPDPA Compliance Preparation
PDPA Compliance Preparation
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
 

Similar to GDPR: Data Breach Notification and Communications

GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?
MediaPost
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat... Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Financial Poise
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
Dione McBride, CISSP, CIPP/E
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
The Pathway Group
 
EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)
Napier University
 
Data protection and data integrity
Data protection and data integrity Data protection and data integrity
Data protection and data integrity
Axon Lawyers
 
Webinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPRWebinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPR
panagenda
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Lisa Abe-Oldenburg, B.Comm., JD.
 
New Data Breach Regime, Privacy & Confidentiality
New Data Breach Regime, Privacy & ConfidentialityNew Data Breach Regime, Privacy & Confidentiality
New Data Breach Regime, Privacy & Confidentiality
Coleman Greig Lawyers
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension Inc.
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
Donald E. Hester
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
Cobweb
 
Engage 2018: GDPR Three Days To Go
Engage 2018: GDPR Three Days To GoEngage 2018: GDPR Three Days To Go
Engage 2018: GDPR Three Days To Go
panagenda
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About Privacy
Now Dentons
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
Now Dentons
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
PECB
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360
DataStax
 

Similar to GDPR: Data Breach Notification and Communications (20)

GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat... Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat...
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
 
EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)
 
Data protection and data integrity
Data protection and data integrity Data protection and data integrity
Data protection and data integrity
 
Webinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPRWebinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPR
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
 
New Data Breach Regime, Privacy & Confidentiality
New Data Breach Regime, Privacy & ConfidentialityNew Data Breach Regime, Privacy & Confidentiality
New Data Breach Regime, Privacy & Confidentiality
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
 
POPI Seminar FINAL
POPI Seminar FINALPOPI Seminar FINAL
POPI Seminar FINAL
 
Engage 2018: GDPR Three Days To Go
Engage 2018: GDPR Three Days To GoEngage 2018: GDPR Three Days To Go
Engage 2018: GDPR Three Days To Go
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About Privacy
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360
 

More from Charlie Pownall

Transparent AI
Transparent AITransparent AI
Transparent AI
Charlie Pownall
 
TalkTalk Data Breach Case Study
TalkTalk Data Breach Case StudyTalkTalk Data Breach Case Study
TalkTalk Data Breach Case Study
Charlie Pownall
 
Maersk Notpetya Crisis Response Case Study
Maersk Notpetya Crisis Response Case StudyMaersk Notpetya Crisis Response Case Study
Maersk Notpetya Crisis Response Case Study
Charlie Pownall
 
Risky Business: The Whys and Hows of Effective Reputational Risk Management
Risky Business: The Whys and Hows of Effective Reputational Risk ManagementRisky Business: The Whys and Hows of Effective Reputational Risk Management
Risky Business: The Whys and Hows of Effective Reputational Risk Management
Charlie Pownall
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPR
Charlie Pownall
 
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital Age
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital AgePlans Are Useless - Preparing for & Responding to a Crisis in the Digital Age
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital Age
Charlie Pownall
 
Boxing Clever: How to Safeguard your Company's Reputation Online
Boxing Clever: How to Safeguard your Company's Reputation OnlineBoxing Clever: How to Safeguard your Company's Reputation Online
Boxing Clever: How to Safeguard your Company's Reputation Online
Charlie Pownall
 
Building Trust and a Healthy Reputation from the Get-go
Building Trust and a Healthy Reputation from the Get-goBuilding Trust and a Healthy Reputation from the Get-go
Building Trust and a Healthy Reputation from the Get-go
Charlie Pownall
 
An Introduction to The New Crisis Communications
An Introduction to The New Crisis CommunicationsAn Introduction to The New Crisis Communications
An Introduction to The New Crisis Communications
Charlie Pownall
 
Managing Online Reputation. How to Protect Your Company on Social Media
Managing Online Reputation. How to Protect Your Company on Social MediaManaging Online Reputation. How to Protect Your Company on Social Media
Managing Online Reputation. How to Protect Your Company on Social Media
Charlie Pownall
 
No Time to Think. How to Respond to Negative Situations Using Social Media
No Time to Think. How to Respond to Negative Situations Using Social MediaNo Time to Think. How to Respond to Negative Situations Using Social Media
No Time to Think. How to Respond to Negative Situations Using Social Media
Charlie Pownall
 
Issues Management In The Digital Age
Issues Management In The Digital AgeIssues Management In The Digital Age
Issues Management In The Digital Age
Charlie Pownall
 
Social Media for Crisis Communications
Social Media for Crisis CommunicationsSocial Media for Crisis Communications
Social Media for Crisis Communications
Charlie Pownall
 
Online Community Engagement For Government
Online Community Engagement For GovernmentOnline Community Engagement For Government
Online Community Engagement For Government
Charlie Pownall
 
How To Develop Social Media Strategy
How To Develop Social Media StrategyHow To Develop Social Media Strategy
How To Develop Social Media Strategy
Charlie Pownall
 
Safeguarding Corporate Reputation In Social Media
Safeguarding Corporate Reputation In Social MediaSafeguarding Corporate Reputation In Social Media
Safeguarding Corporate Reputation In Social Media
Charlie Pownall
 
Top Social Media #Fails in Asia - 2013
Top Social Media #Fails in Asia - 2013Top Social Media #Fails in Asia - 2013
Top Social Media #Fails in Asia - 2013
Charlie Pownall
 
Social Media for Thought Leadership
Social Media for Thought LeadershipSocial Media for Thought Leadership
Social Media for Thought Leadership
Charlie Pownall
 
How to Minimise Social Media Marketing Risks
How to Minimise Social Media Marketing RisksHow to Minimise Social Media Marketing Risks
How to Minimise Social Media Marketing Risks
Charlie Pownall
 
Digital Influence: Communications Nirvana?
Digital Influence: Communications Nirvana?Digital Influence: Communications Nirvana?
Digital Influence: Communications Nirvana?
Charlie Pownall
 

More from Charlie Pownall (20)

Transparent AI
Transparent AITransparent AI
Transparent AI
 
TalkTalk Data Breach Case Study
TalkTalk Data Breach Case StudyTalkTalk Data Breach Case Study
TalkTalk Data Breach Case Study
 
Maersk Notpetya Crisis Response Case Study
Maersk Notpetya Crisis Response Case StudyMaersk Notpetya Crisis Response Case Study
Maersk Notpetya Crisis Response Case Study
 
Risky Business: The Whys and Hows of Effective Reputational Risk Management
Risky Business: The Whys and Hows of Effective Reputational Risk ManagementRisky Business: The Whys and Hows of Effective Reputational Risk Management
Risky Business: The Whys and Hows of Effective Reputational Risk Management
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPR
 
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital Age
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital AgePlans Are Useless - Preparing for & Responding to a Crisis in the Digital Age
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital Age
 
Boxing Clever: How to Safeguard your Company's Reputation Online
Boxing Clever: How to Safeguard your Company's Reputation OnlineBoxing Clever: How to Safeguard your Company's Reputation Online
Boxing Clever: How to Safeguard your Company's Reputation Online
 
Building Trust and a Healthy Reputation from the Get-go
Building Trust and a Healthy Reputation from the Get-goBuilding Trust and a Healthy Reputation from the Get-go
Building Trust and a Healthy Reputation from the Get-go
 
An Introduction to The New Crisis Communications
An Introduction to The New Crisis CommunicationsAn Introduction to The New Crisis Communications
An Introduction to The New Crisis Communications
 
Managing Online Reputation. How to Protect Your Company on Social Media
Managing Online Reputation. How to Protect Your Company on Social MediaManaging Online Reputation. How to Protect Your Company on Social Media
Managing Online Reputation. How to Protect Your Company on Social Media
 
No Time to Think. How to Respond to Negative Situations Using Social Media
No Time to Think. How to Respond to Negative Situations Using Social MediaNo Time to Think. How to Respond to Negative Situations Using Social Media
No Time to Think. How to Respond to Negative Situations Using Social Media
 
Issues Management In The Digital Age
Issues Management In The Digital AgeIssues Management In The Digital Age
Issues Management In The Digital Age
 
Social Media for Crisis Communications
Social Media for Crisis CommunicationsSocial Media for Crisis Communications
Social Media for Crisis Communications
 
Online Community Engagement For Government
Online Community Engagement For GovernmentOnline Community Engagement For Government
Online Community Engagement For Government
 
How To Develop Social Media Strategy
How To Develop Social Media StrategyHow To Develop Social Media Strategy
How To Develop Social Media Strategy
 
Safeguarding Corporate Reputation In Social Media
Safeguarding Corporate Reputation In Social MediaSafeguarding Corporate Reputation In Social Media
Safeguarding Corporate Reputation In Social Media
 
Top Social Media #Fails in Asia - 2013
Top Social Media #Fails in Asia - 2013Top Social Media #Fails in Asia - 2013
Top Social Media #Fails in Asia - 2013
 
Social Media for Thought Leadership
Social Media for Thought LeadershipSocial Media for Thought Leadership
Social Media for Thought Leadership
 
How to Minimise Social Media Marketing Risks
How to Minimise Social Media Marketing RisksHow to Minimise Social Media Marketing Risks
How to Minimise Social Media Marketing Risks
 
Digital Influence: Communications Nirvana?
Digital Influence: Communications Nirvana?Digital Influence: Communications Nirvana?
Digital Influence: Communications Nirvana?
 

Recently uploaded

Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s DholeraTata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Avirahi City Dholera
 
Cracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptxCracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptx
Workforce Group
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
Operational Excellence Consulting
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
Nicola Wreford-Howard
 
amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05
marketing317746
 
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
taqyed
 
Project File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdfProject File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdf
RajPriye
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
ofm712785
 
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
BBPMedia1
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
KaiNexus
 
The-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic managementThe-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic management
Bojamma2
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
sarahvanessa51503
 
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
Falcon Invoice Discounting
 
Unveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdfUnveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdf
Sam H
 
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).pptENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
zechu97
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Arihant Webtech Pvt. Ltd
 
Improving profitability for small business
Improving profitability for small businessImproving profitability for small business
Improving profitability for small business
Ben Wann
 
The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...
awaisafdar
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
Ben Wann
 
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Lviv Startup Club
 

Recently uploaded (20)

Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s DholeraTata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
 
Cracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptxCracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptx
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
 
amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05
 
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
 
Project File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdfProject File Report BBA 6th semester.pdf
Project File Report BBA 6th semester.pdf
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
 
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
 
The-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic managementThe-McKinsey-7S-Framework. strategic management
The-McKinsey-7S-Framework. strategic management
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
 
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
 
Unveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdfUnveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdf
 
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).pptENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
 
Improving profitability for small business
Improving profitability for small businessImproving profitability for small business
Improving profitability for small business
 
The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
 
Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)Maksym Vyshnivetskyi: PMO Quality Management (UA)
Maksym Vyshnivetskyi: PMO Quality Management (UA)
 

GDPR: Data Breach Notification and Communications

  • 1. CPC& GDPR: DATA BREACH NOTIFICATION & COMMUNICATIONS AN INTRODUCTION © Charlie Pownall/CPC & Associates 2017. All rights reserved January 2018
  • 2. 2 Overview • Governs the way organisations across the EU process, store, and protect customers’ personal data – Takes effect on May 25, 2018 • Replaces national legislation, complementary to other EU legislation – NISD/Cybersecurity Directive, 2016 (for Essential Service/Digital Service Providers) – Privacy and Electronic Communications Directive, 2003 – E-Privacy Directive, 2018 (digital marketing, cookies) • Broad definition of personal data – PII: name, date of birth, gender, height, weight, telephone number, postal address, email address, passport number, social security number, driving license number, IP address, location data, cookie data, RFID tags – Sensitive or SPII: medical, genetic, biometric, race, ethnicity, political or religious beliefs, sexual preference CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 3. 3 Overview (2) • Companies must set ‘reasonable’ levels of protection of personal data – Data Protection Officers – Data Protection Impact Assessments – Codes of Conduct – Anonymisation, pseudonymisation, encryption • Strengthens personal rights of EU citizens, including: – Data access – Rectification – Erasure (cf. Right to be Forgotten - pdf) – Portability – Objection – etc CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 4. 4 Overview (3) • Requires organisations to notify a breach – To regulator: where it is likely to result in a risk to the rights and freedoms of individuals – To affected individuals: where it is likely to result in a high risk to their rights and freedoms • Applies to all organisations across operating in and/or collecting personal data in the EU • Tiered fines up to EUR 10m or 2% of annual turnover • Regarded as international gold standard CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 5. 5 Transparency obligations Data protection-related information and communications must be: – Concise, transparent, intelligible and easily transparent – Easily accessible – Clear and in plan language – In writing or by other means – May be provided orally – Free of charge CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 6. 6 Data breach notification – regulator • Mandatory notification within 72 hours of discovery of a breach – To the relevant competent supervisory authority/regulator – ‘Without undue delay’ for data processors – Reasons for any delay beyond 72 hours must be explained • If the breach poses a likely risk/high risk to the rights and freedoms of individuals – Physical, material or non-material damage – Loss of control over personal data, limitation of rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy – Other significant economic or social disadvantage to impacted individuals CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 7. 7 Data breach notification (2) • ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ * • Types of personal data breaches CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Breach type Description Confidentiality Unauthorised or accidental disclosure of, or access to, personal data Availability Accidental or unauthorised loss of access to, or destruction of, personal data Integrity Unauthorised or accidental alteration of personal data * Source: GDPR Article 4(12)
  • 8. 8 Data breach notification requirements Notification to supervisory authority should contain: • Categories and approximate number of individuals involved • Categories and approximate number of personal records involved • Name and contact details of Data Protection Officer or other contact point • Description of the likely consequences of the breach • Description of the measures taken, or proposed to be taken, to address the personal data breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 9. 9 Data breach notification - exceptions • If the personal data is unintelligible and where a copy or back-up exists • Where personal data is already publicly available • If notification is considered ‘disproportionate’ to the actual or potential damage CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 10. 10 Data breach notification - grey areas CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Timing • Level of risk • Loss of data availability
  • 11. 11 Timing CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised – Scenario 1: In the case of a loss of a CD with unencrypted data it is often not possible to ascertain whether unauthorised persons gained access. Nevertheless, such a case has to be notified as there is a reasonable degree of certainty that a breach has occurred; the controller would become “aware” when it realised the CD had been lost. – Scenario 2: A third-party informs a controller that they have accidentally received the personal data of one of its customers and provides evidence of the unauthorised disclosure – Scenario 3: A controller detects that there has been a possible intrusion into its network. The controller checks its systems to establish whether personal data held on that system has been compromised and confirms this is the case – Scenario 4: A cybercriminal contacts the controller after having hacked its system in order to ask for a ransom.
  • 12. 12 Timing (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Delayed notification – Reason for delay must be explained if not made within 72 hours – Scenario: where a controller experiences multiple, similar confidentiality breaches over a short period of time, leading to a ‘bundled notification’ • Breaches in more than one EU state – Controller should notify the relevant lead supervisory authority – Example: Facebook to notify the supervisory authority in the Republic of Ireland of breaches impacting personal data across multiple EU states • For data processors – Recommends immediate notification by processor to data controller – The controller is considered aware once the processor has become aware
  • 13. 13 Timing (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Customer/affected individuals notification – Is required ‘in certain cases’ – ie. if special categories of personal data are disclosed online and/or where there is a high risk to rights and freedoms of the individuals impacted – The principal objective is ‘to provide specific information about steps [affected individuals] can take to protect themselves’ • Contacting individuals – Information should be communicated directly • Email, SMS, direct message, prominent website banners or notification, postal communications, print media advertisements – Press release or corporate blog post is considered inadequate – Should not accompany other information (newsletters, etc) – Should be in the relevant local language – Supervisory authority can be contacted for advice on appropriate channels and formats
  • 14. 14 Data breach notification information Notification to affected individuals should contain at least the following information: • Description of the nature of the breach • Name and contact details of data protection officer or other contact point • Description of the likely consequences of the breach • Description of measures taken, or proposed to be taken, to address the breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 15. 15 Level of risk CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Determination of level of risk to the rights and freedoms of individuals – Risk exists: identity theft or fraud, financial loss, damage to reputation, discrimination, emotional distress, etc – High risk exists: racial or ethnic data, political opinion, religion or philosophical beliefs, trade union membership, genetic data, health, sex life, criminal convictions and offences • Type of breach – eg. Confidentiality vs availability breach • Nature, sensitivity and volume of personal data – Isolated data may cause harm, but different kinds of data can be used together for data theft, fraud, etc – Data indicating customers are on holiday
  • 16. 16 Level of risk (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Ease of identification of individuals – Ease with which individuals can be identified directly or indirectly by matching data with other information – Identification may depend on the context and type of breach • Severity of consequences to individuals – Motivation of and trust in people or organisation(s) finding and/or using the data – Likely impact over time for individuals • Special characteristics of the individual – Children and vulnerable individuals are at greater risk • Special characteristics of the data controller – eg. medical organisations
  • 17. 17 Loss of availability CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Permanent vs temporary loss of availability – Where data has been deleted either accidentally or by an unauthorised person, or, in the example of securely encrypted data, the decryption key has been lost. In the event that the controller cannot restore access to the data, for example, from a backup, then this is regarded as a permanent loss of availability. – Significant disruption to the normal service of an organisation, for example, experiencing a power failure or denial of service attack, rendering personal data unavailable, either permanently, or temporarily. • Notification of temporary breaches – If critical medical data about (hospital) patients are unavailable, even temporarily, this could present a risk to individuals’ rights and freedoms; for example, operations may be cancelled. – Conversely, in the case of a media company’s systems being unavailable for several hours (e.g. due to a power outage), if that company is then prevented from sending newsletters to its subscribers, this is unlikely to present a risk to individuals’ rights and freedoms.
  • 18. 18 Loss of availability (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Other impacts – Infection by ransomware (malicious software which encrypts the controller’s data until a ransom is paid) could lead to a temporary loss of availability if the data can be restored from backup. However, a network intrusion still occurred, and notification could be required if the incident is qualified as confidentiality breach (i.e. personal data is accessed by the attacker) and this presents a risk to the rights and freedoms of individuals.
  • 19. 1. Understand GDPR scope and principles, and notification requirements, grey areas and best practices – How GDPR relates to other EU and national data protection laws and obligations – Legal updates, relevant European Commission/UK ICO GDPR working parties 2. Educate Leadership, Legal, IT, security and other stakeholders – Customer and stakeholder privacy needs and expectations – Cyber/data breach reputation trends, risks and impact – Role of communications in data breach preparation and response 3. Ensure PR/communications is formally represented on relevant company committees and teams – GDPR, Data breach, Cybersecurity, etc 19 For PR/communications teams CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 20. 4. Work closely with Legal, IT and security to develop or update company cyber/data breach response plans – Assess and prioritise different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted – Develop communication plans for different types of data breach, including key messages, priority and secondary audiences, order and timing (regulators, customers, employees, investors, etc), format, channels – Consider the reputational risks of not disclosing different data breach risks, taking into account: • The risks of actual or perceived cover-up • Likely negative customer and stakeholder reaction • Possibility of regulator investigation – Ensure your response plans are comprehensive, clear, practical, and fit for purpose 20 For PR/communications teams (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 21. 21 For PR/communications teams (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved 5. Test and update your plans regularly – Protocols and processes – Messaging and content – Digital/social media dialogue and feedback – Leadership and team dynamics.
  • 22. 22 Useful resources CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Documents • General Data Protection Regulation • Article 29 Working Party - Guidelines on Data Breach Notification • Article 29 Working Party - Guidelines on Data Protection Impact Assessment • ENISA - Data Breach Severity Methodology Organisations • European Commission • UK ICO • The Law Society • CIPR • IAPP
  • 23. 23 Further Information +44 20 3856 3599 +44 (0)7973 379 989 cp@charliepownall.com charliepownall.com © Charlie Pownall/CPC & Associates 2017. All rights reserved CPC&