GDPR Data Breach Notification - Your Time is Running Out

The EU General Data Protection Regulation (GDPR) will be in full effect by 2018 (see the full document here). The GPDR will replace the Data Protection Directive, that dates back to 1995. The regulation focuses on the processing and storing of personal data, and mandates organisations to act swiftly in case of a breach involving such data.

The EU Regulation will automatically and immediately become legally binding upon each member state, and even affect countries outside the EU conducting business with EU states and residents. Despite previous beliefs, this will also affect the UK, whose Minister for Digital and Culture released a report outlining why, despite Brexit, it’s important for the UK to fall into line with GDPR.

The GDPR defines ‘personal data breach’ as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to individuals, such as loss of control over their personal data, limitation of their rights, discrimination, identity theft, fraud, financial loss, damage to reputation or loss of confidentiality. Therefore, in the event of a personal data breach, data controllers must notify the supervisory authority without undue delay, no later than 72 hours after having become aware of it. If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.

The nature of the data stolen is also significant. In certain cases, the organisation must also notify the data subject himself (if the data breach is likely to result in a high risk to the rights and freedom of the individual), in order to allow said individual to take the necessary precautions. Failure to comply with these instructions will not go unpunished. The appropriate governing authority has the power to fine organisations in sums of up to 10,000,000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year - whichever amount is higher.

The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement, has substantial weight in the decision of if, and how much, to fine it.

What does this mean to companies? It means that in addition to all the data privacy and protection solutions they must implement (including the addition of a DPO - Data Protection Officer), they must also vigorously monitor for data breaches involving personal data. This is harder than it seems. Most data breaches are identified weeks or even months after the breach occurred. The Regulation does not stipulate exactly how long it would deem acceptable between breach and discovery, only between breach and notification, but it’s clear that companies should do their utmost to keep this time period to a minimum.

There is, however, an even more terrifying scenario for the newly appointed DPO: a breach has occurred, data has been leaked and posted somewhere online, without the company’s knowledge.

This has occurred numerous times in recent years, when massive data breaches (known or unknown to companies) were made public months and years later, after being identified in a “Data Dump”. While this scenario is not mentioned directly in the Regulation, it would be embarrassing and potentially harmful for any company, who will now have limited time to react and notify the governing authorities about the breach. These authorities could, in theory, claim that the data breach notification “stop-watch” started running the minute the data-dump was made public, and add to the embarrassment by leveraging a fine due to late notification.

In short - if your customers’ private data has been stolen, you’re in a difficult position.

If it has been stolen and you don’t know about it, your situation is worse, and if it was posted somewhere online and you are unaware of it, you are in big trouble. Companies will surely consider this fact (and the overwhelming fines) and engage in wide scale automatic intelligence collection to allow them early identification of hacked data, which will enable them to comply with the GDPR regulation.

IntSights offers its customers a cyber threat intelligence service based on machine- learning algorithms that scans multiple darknet and clear-web sites and can quickly and accurately identify the leakage of personal data and thus enable timely breach notification, in compliance with GDPR regulations.
To schedule a demo please contact us at: [email protected]

This post was written by Alon Arvatz, IntSights CPO

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.