The GDPR Data Breach – Don’t let it be a Dark Place

Four months in, and GDPR has yet to trigger worst-case fears of a global apocalypse. Still, the Supervisory Authorities (SAs) around the European Union have been quite busy investigating data breaches and complaints, some new and some pre-dating the May 25th arrival of the new GDPR regime.

And when several of these incidents involved household names, they offered a wake-up call to others who might have been lulled into complacency, if not a false sense of security. In other words, this could still happen to you. So, before then, let’s briefly analyze the key notions you’ll need to consider in a data breach situation.

Security Regulatory Obligations

When it comes to the technical and organizational measures - the former in the shape of hardware and software solutions and systems, the latter involving processes and people – GDPR’s mandates are crystal clear: The onus is on organizations to adopt demonstrable measures to protect customer data. What’s more, they must be able to both monitor threats and detect intrusions as quickly as possible to minimize the potential risk to the fundamental rights and freedoms of the data subjects in case of a breach.  

But GDPR is based on outcomes. It doesn’t instruct companies on how to achieve cyber security – the only concession in that sense being the explicit mention of encryption and pseudonymization, as possible examples of measures that can help make the data less accessible, or not at all, by unauthorized actors. At the same time, though, the new regulation is quite clear about the need for the security technology to be sufficiently advanced, so it can deal with an evolving cyber threat landscape. “State of the art” is the requirement, as stated in the Regulation.

Particularly when the personal data involved is especially sensitive and would put the data subjects in a situation of high risk if compromised, organizations are expected to operate at a higher standard. They must be able to monitor risks and vulnerabilities, and, crucially, detect as quickly as possible dangerous intrusions to minimize the impact and damage to the data subjects.

Ultimately, the security measures have to be commensurate with the risk of a data breach for the organization, and the potential harm this can cause to the data subjects.

Breach Notification

As soon as there’s a breach detection, the notification dynamics kick in. Importantly, not all data breaches require notification. But when a company believes that a data breach may pose a risk to the data subjects, the SA should be notified as quickly as possible – and no later than 72 hours, unless there are justifiable reasons. What’s more, if the risk is classified as “high”, then the data subjects must be notified without undue delay.

So, to notify or not to notify?

If you have reasonable certainty that any personal data exposed in a data breach will be unintelligible to attackers – say, because you’ve scrambled it with strong encryption – then there’s no requirement to notify the SA or data subjects. If the SA has been notified according to this criterion, then the doubt will arise on whether the risk for the data subjects is “high,” in which case the data subjects must also be notified without undue delay.

It’s also wise not to wait until an incident occurs to classify different categories of risk. You can base the criteria on the type and sensitivity of the data as well as the type of data subjects – for example minors or vulnerable categories. You can also factor in the time elapsed between the intrusion and the detection, and possibly other specifics related to the organization or the sector they operate in.

It is also important to always make a record of any data breaches, even if they don’t result in formal notification.

The breach notification process shouldn’t be dependent on improvisation. Put a detailed plan together in advance so that every stakeholder will know exactly what to do depending on the nature and characteristics of the breach. A situation that will by definition cause distress, if not panic, in the organization, does not need additional aggravation due to lack of direction and planning. A well-rehearsed plan is essential, in order to be (and crucially, appear) in control to the public, the regulator, the ecosystem and the employees of the compromised organization.

Lastly, effective remediation involves containing the breach and mitigating the potential impact on individual victims. How you handle the actual remediation, whether technically or organizationally, will play a major part with the SA, their assessment of the incident, and ultimately the likelihood – and extent – of any potential sanctions.

Fines and More

Fines are generally the most feared aspect of a data breach situation. This LinkedIn blog by Ilias Chantzos provides a detailed analysis of the intricacies of the sanctions in the GDPR.

At the same time, there can be more costly outcomes than monetary fines, even if they may be hard to quantify. For example, if an SA decides to fine a company say, 1% of their global annual turnover, that’s what the cost is, quantifiable to the cent.

Off course, the reputational implications are impossible to quantify, even post-incident. Still, we can find spectacular examples from the pre-GDPR era in which companies suffered a severe data breach that irreparably damaged their reputations.

Monetary sanctions will be determined, mitigated or aggravated, by many factors.

If an organization suffers a repeat compliance breach, the SA is more likely to impose higher sanctions. Similarly, they’re also in jeopardy of more substantial fines if regulators determine that an organization failed to implement previously-ordered measures to correct any compliance shortcomings.

Data breach victims can demand compensation for any financial, reputational or other damages they suffer, so the cost to an organization can quickly mount depending on how many people are affected. And looking over the horizon, organizations may also face the threat of class actions initiated by citizens who are increasingly aware of their rights under GDPR.

An even more severe state of affairs for a Controller (or indeed a Processor), is being perceived by the Authority not to be in control of personal data, especially sensitive ones that can pose high risk to the data subjects. In the more serious cases, this could leave no alternative to the Authority but to suspend processing of this data until the Controller proves to be ‘in control’ again (and not a ‘punishment’ as such, just the obvious measure aimed at ensuring a safe processing, just like someone unable to drive safely is banned from the roads until a successful reassessment).

The SA will therefore indicate the measures to implement in order to be deemed adequate for processing again. But the time needed to analyze, design, and implement such measures across an organization - possibly with technology procurement implications, and therefore integration of software solutions in the existing IT systems – can be devastatingly long, therefore not being able to process personal data could prove unsustainable for an organization in the context of their business situation.

In other words, fines, reputation and compensation might not be the worst damage sustained after a data breach, compared to a potentially lengthy processing suspension that could impair the very existence of the organization.

The takeaway here is that a serious data breach does not always need to become a dark place from which it’s arduous to escape. Proper security prevention, understanding of the regulation across the organization, and operational planning at all levels, will help in mitigating the consequences, both for the organization and the data subjects.