Many US organisations already operate under a host of Federal and State obligations concerning what to do in the event of a data security breach. On top of these, if you process the personal data of European residents (even if you don’t have a physical presence in the EU), the arrival of The General Data Protection Regulation (GDPR) brings with it an additional set of rules to follow.
Brought into force on 25 May 2018, the GDPR was designed to create a safer data environment for individuals; one that’s fit-for-purpose within the new global data marketplace. As well as giving individuals (e.g. customers and employees) a greater say in what happens to their personal data, it places new obligations on the organisations that control and process that data. Mandatory breach reporting and new data governance requirements are a significant part of this.
Here, we explain what GDPR demands of companies on the data security front – and outline the “who, what, where and when” of breach reporting for US-based companies.
Data security: what are my GDPR obligations?
If you control or process personal data, you are under a duty to implement “appropriate technical and organisational measures” to address the specific security risks you are faced with. In a phrase that features heavily throughout the new law, the GDPR demands that you have particular regard to the “rights and freedoms of individuals” when assessing this. So in simple terms, the more sensitive the data (bank details and health information, for instance), the greater the potential impact on individuals and, therefore, the greater the need for robust protective measures.
Pseudonymisation, encryption, data restoration and regular systems testing are all cited as measures that may form part of your security risk reduction measures. You can take a closer look at what’s expected of companies in our guide, Data protection breaches : best practice under GDPR.
If your US organisation has accreditation to show that you follow security management best practice, this can be valuable in helping to demonstrate that the measures you have in place are appropriate. However, as our guide to ISO 27001 explains, obtaining certification shouldn’t be seen as a shortcut to full compliance.
Under what circumstances should you report a breach?
For a start, GDPR is concerned with personal data. So if a breach is isolated to business data (e.g. a targeted instance of IP or internal accounts theft) – or, for instance, if you can be sure that the breach has affected only your domestic operation and not your EU customer database, this falls outside the GDPR scope.
A breach is described as an event leading to the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, transmitted, stored or otherwise processed.” Helpfully, the GDPR Working Party has classified potential personal data breaches according to three internationally-recognised categories:
- Confidentiality breaches: where data falls into the wrong hands.
- Availability breaches: where there is a loss of access to – or destruction of data.
- Integrity breaches: where data is corrupted or otherwise altered.
Personal data breaches must be notified to the relevant supervisory authority unless the breach is “unlikely to give rise to a risk to the rights and freedoms of natural persons”.
As an example, a US company’s worldwide customer database is hit by a malware attack. The network intrusion was isolated and a backup procedure was instigated. However, there is a strong possibility that personal data – including financial information, was accessed by the attacker. In these circumstances, notification would be necessary.
By contrast, an employee loses a laptop containing customer data. Robust encryption procedures mean that access to that data is not possible. The company concludes that there is no likely risk to the rights and freedoms of individuals and is, therefore, not obliged to report the breach to the relevant supervisory authority.