GDPR Breach Notification Is Here: What Now?
After years of anticipation, preparation, and countless hours of interpretation, the GDPR went into effect on May 25, 2018 and changed the data protection landscape for companies all around the world.
As many privacy professionals and regulators have already stated, this is only the beginning. While some of you may be better prepared for GDPR compliance, there are many more organisations that are still struggling and striving for compliance. There is one thing we can be sure of at this moment: there will continue to be a learning curve for everyone.
The US and EU state of play one month after the GDPR’s enforcement date
In the US, close to 60% of organisations polled view the GDPR as an opportunity to improve upon their privacy, security, and data management, or as a means to create new business models and revenue streams.1 However, a CompTIA survey revealed that over 50% of US companies did not know if the GDPR was applicable to them as of April 2018.2
There is still much confusion surrounding the GDPR, and Data Protection Authorities have seen a marked increase in GDPR queries across the EU. In fact, the Irish Examiner reported that the Irish DPC was hit with over 700 phone calls and more than 650 emails within the first week of the GDPR, and 10 GDPR cases are in the assessment stage. The Chair of the European Data Protection Board, Andrea Jelinek, told the Wallstreet Journal so far 24 cross-border investigations are ongoing.
Insight into the continued complexity we’re seeing within the US and EU
The GDPR represents a sea-change in international privacy regulation and a retooling of strategies for complying. There are three types of breaches outlined in the GDPR: confidentiality of data, integrity of data, and availability of data. On top of that, US organisations also have their own data breach notification obligations, which may vary from state to state. Further adding to the confusion and complexity is that GDPR requirements are subject to change. There are approximately 80 clauses where member states may deviate from the GDPR, so they are tasked with preparing national legislation to accompany the GDPR.
How do you remain GDPR compliant when it is subject to change? Articles 5 and 24 are provisions that require organisations to implement appropriate technical and organisational measures to meet the operational requirements of the GDPR. These are catchall provisions that say you need to have a privacy program in place – doing what is right for your particular organisation – and not only focusing on what you are doing, but how you are doing it.
So, document your program, as well as the underlying decisions. Ensure you can demonstrate that your data processing operations are compliant. Review and, if necessary, update your technical and organisational measures on a regular basis.
Strategies for maintaining an accountable and compliant privacy management program with appropriate policies and procedures
AT ENTERPRISE LEVEL: Structured Privacy Management, A Top-Down Approach
- Take a top-down approach, assign people within your organisation to take ownership of embedding and maintaining privacy management activities, and provide feedback and evidence.
- Focus on implementing appropriate technical and organisational measures, ensuring they are operationalised.
- Ask your privacy liaisons to report on their privacy management activities on a regular basis
All of the above will allow you to demonstrate to authorities your compliance with data protection laws.
AT PROJECT LEVEL: A Bottom-Up Approach
- Take a bottom-up approach, whereby the business records all processing activities as required by Article 30 GDPR.
- On the basis of Records of Processing Activities, the business can identify if the processing is high risk and if so, complete a DPIA to demonstrate that risks and harms to rights and freedoms of individuals were mitigated effectively.
Together, the top down and bottom-up approaches will help to ensure that you maintain a demonstrably compliant privacy program.
Operationalising your incident response program for breach notification compliance
How to operationalise your incident response program in 5 steps:
- Streamlined incident escalation to privacy team: Ensure there is a process in place to communicate a breach internally.
- Multi-factor risk assessment: Once that information is communicated, ensure the team has the ability to make a quick and efficient multi-factor risk assessment.
- Notification content & timeline: Be ready to communicate the appropriate details to the proper supervisory authorities as mandated.
- Real-time reports and trend analysis: Do ongoing monitoring and analysis of the global environment.
- Staying current with changing regulations: Automate and collect data to improve your compliance.
The number of data breach regulations are growing around the globe. When it comes to the GDPR, you have to deal with three types of breaches, and the US has its own set of data breach notification obligations. Remaining compliant will continue to be a challenge in the coming months and years. View our recorded webinar, GDPR Breach Notification is Here: What Now? to learn more about:
- What not to overlook in your breach preparedness, while still keeping a close eye on the GDPR.
- How to maintain an accountable and compliant privacy management program with appropriate policies and procedures.
- Strategies for complying with GDPR and US data breach notification obligations.
Or, contact a Nymity team member to request a free trial of our privacy software or learn more about Radar’s breach notification software.
- IBM, IBM Study: Majority of Businesses View GDPR as Opportunity to Improve Data Privacy and Security, 2018. http://newsroom.ibm.com/2018-05-16-IBM-Study-Majority-of-Businesses-View-GDPR-as-Opportunity-to-Improve-Data-Privacy-and-Security
- Fosters.com, The State of GDPR Preparedness in the U.S., 2018. https://www.comptia.org/resources/the-state-of-gdpr-preparedness-in-the-u.s