Data Breaches and GDPR
In the last few weeks alone, we have seen massive password files allegedly posted online from LinkedIn (117 million users in June), Twitter (32 million users in June) and MySpace (427 million users late May). While these data files may have been the result of past breaches, password and log-on re-use pretty much ensure that these leaks will lead to account breaches across many other services for many users.
On the 4th May 2016, the EU’s long debated General Data Protection Regulation (GDPR) was published in the Official Journal of the European Union. The GDPR comes into effect on 25th May 2018.
One of its major pillars, and an area which demands regulated firms’ full attention, is that of personal data breaches and notification.
The responsibility here lies with data controllers and data processors, which may very well be different departments of the same entity. A data controller is defined as an entity or body which determines the purposes and means of processing personal data; the processor is the entity which carries out that processing on behalf of the controller. Processing is defined widely as operating on personal data, examples include the collection, recording, organisation, storage, use and destruction.
There is, effectively, nothing that a firm can do with personal data which does not fall under this definition; there are going to be very few regulated firms which are not going to be defined as controllers or processors or both.
The hacks and breaches will continue, and, in the near future at least, grow in frequency.
GDPR makes the reporting by data processors of data breaches to data controllers mandatory. In turn, data controllers must report personal data breaches to their supervisory authority and in some cases, affected data subjects, following specific GDPR provisions. Notification must be made within 72 hours.
Data controllers must maintain an internal breaches register.
Non-compliance by a firm can lead to a fine of up to €10 million or 2% of the total worldwide annual turnover of the previous financial year, whichever is greater.
Registers, procedures and policies are not new to compliance, but this new regulation is targeting firms’ GRC framework with an emphasis on board-level involvement and risk management.
Whilst firms will definitely want to check their registers and update procedures regarding internal breach notification, identification systems and response plans will likely need to be put in place, with their attendant governance and risk provisions. Testing and regular review will be expected.
However, as part of a growing theme within regulation, tighter integration between the governance of a firm and its day-to-day IT activities is strongly encouraged. Personal data is managed by IT or is managed on an outsource basis through the IT department and it will be the governing body’s responsibility to ensure that sufficient resource is devoted to implementing technical and organisational protections to render the data unintelligible in case of unauthorised access and to protect against and detect such access.
Due diligence will need to be strengthened where data processes have been outsourced or where operations on data are performed within third-party environments. The requirement to report and notify must extend through those third parties.
Such a notification regime will be new to many firms. Data breach is a time-sensitive area, so the pre-planning of response and decisive action are particularly important.
Response planning should include clear steps to cover assessment and mitigation, notification of relevant parties, and, finally, investigation and remedial action.
Within the UK, notification will be to the Information Commissioners Office (ICO). Such a notification regime will be new to many organisations and not all breaches will have to be notified to the ICO (only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach). Regulated firms will also need to be aware of your responsibilities to notify the FCA and PRA under Chapter 15 of the Supervision Manual (SUP 15).
With two years to run before GDPR comes in to effect, firms should have plenty of time to put new processes in place, but it is clear that earlier planning will help with the more time-consuming areas. As a minimum you should ensure that your data security policies and training materials are up to date and that your agreements with third parties provide you with adequate protection in the event of a breach outside your direct control.