Many US organisations already operate under a host of Federal and State obligations concerning what to do in the event of a data security breach. On top of these, if you process the personal data of European residents (even if you don’t have a physical presence in the EU), the arrival of The General Data Protection Regulation (GDPR) brings with it an additional set of rules to follow.
Brought into force on 25 May 2018, the GDPR was designed to create a safer data environment for individuals; one that’s fit-for-purpose within the new global data marketplace. As well as giving individuals (e.g. customers and employees) a greater say in what happens to their personal data, it places new obligations on the organisations that control and process that data. Mandatory breach reporting and new data governance requirements are a significant part of this.
Here, we explain what GDPR demands of companies on the data security front – and outline the “who, what, where and when” of breach reporting for US-based companies.
Data security: what are my GDPR obligations?
If you control or process personal data, you are under a duty to implement “appropriate technical and organisational measures” to address the specific security risks you are faced with. In a phrase that features heavily throughout the new law, the GDPR demands that you have particular regard to the “rights and freedoms of individuals” when assessing this. So in simple terms, the more sensitive the data (bank details and health information, for instance), the greater the potential impact on individuals and, therefore, the greater the need for robust protective measures.
Pseudonymisation, encryption, data restoration and regular systems testing are all cited as measures that may form part of your security risk reduction measures. You can take a closer look at what’s expected of companies in our guide, Data protection breaches : best practice under GDPR.
If your US organisation has accreditation to show that you follow security management best practice, this can be valuable in helping to demonstrate that the measures you have in place are appropriate. However, as our guide to ISO 27001 explains, obtaining certification shouldn’t be seen as a shortcut to full compliance.
Under what circumstances should you report a breach?
For a start, GDPR is concerned with personal data. So if a breach is isolated to business data (e.g. a targeted instance of IP or internal accounts theft) – or, for instance, if you can be sure that the breach has affected only your domestic operation and not your EU customer database, this falls outside the GDPR scope.
A breach is described as an event leading to the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, transmitted, stored or otherwise processed.” Helpfully, the GDPR Working Party has classified potential personal data breaches according to three internationally-recognised categories:
- Confidentiality breaches: where data falls into the wrong hands.
- Availability breaches: where there is a loss of access to – or destruction of data.
- Integrity breaches: where data is corrupted or otherwise altered.
Personal data breaches must be notified to the relevant supervisory authority unless the breach is “unlikely to give rise to a risk to the rights and freedoms of natural persons”.
As an example, a US company’s worldwide customer database is hit by a malware attack. The network intrusion was isolated and a backup procedure was instigated. However, there is a strong possibility that personal data – including financial information, was accessed by the attacker. In these circumstances, notification would be necessary.
By contrast, an employee loses a laptop containing customer data. Robust encryption procedures mean that access to that data is not possible. The company concludes that there is no likely risk to the rights and freedoms of individuals and is, therefore, not obliged to report the breach to the relevant supervisory authority.
Does the number of persons affected matter under the GDPR?
With HIPAA, for instance, breaches are only generally reportable if the records of 500 or more individuals are affected. Under the GDPR, there is no such minimum cut-off. Depending on the circumstances, if there’s a risk to the rights and freedoms of just one or a handful of persons, the breach may still be reportable.
Time limits for reporting a security breach to the supervisory authority
Similar to the NYFDS cybersecurity regulation, data controllers must notify the supervisory authority of the breach without undue delay – and no later than 72 hours of becoming aware of the breach.
Information to be provided to the supervisory authority
Your designated supervisory authority (e.g. the ICO in the UK or CNIL for France) will have a facility for reporting security breaches, accessible through the relevant authority’s Website. You will be asked to provide information on the nature of the breach, the category and the approximate number of persons affected, and the likely consequences. You will also be asked to describe the measures you have taken – or propose to take – to mitigate the effects of the breach.
Who is your supervisory authority?
Many US businesses will have customers scattered across the EU, along with a physical presence in multiple member states. Here, the GDPR’s ‘one-stop-shop’ mechanism applies. It requires multinational organisations to identify their EU ‘main establishment’ (i.e. where the bulk of the company’s European operations are administered). The supervisory authority will be the data regulator for the country in which that main establishment is situated.
If your business has a European customer base but does not currently have a physical presence in the EU, it may be necessary to appoint an official representative. You can read more about this in our general GDPR guide for US businesses. In these circumstances, your relevant supervisory authority will be the data regulator for the country in which your representative is based.
Notifying data subjects
Where there is a high risk to the rights and freedoms of individuals, you are also required to inform the individuals affected by the breach. In practice, in the majority of cases where breaches are reportable to the data regulator, subject notification will also be required.
You need to explain to the persons concerned in clear language what has happened, its consequences, what you are doing about it and the steps the individuals should take to protect themselves (e.g. notifying their bank, changing their passwords or flagging up suspicious communications).
The GDPR requires you to keep an internal log of personal data security breaches, setting out what happened, its effects and remedial action taken. Note that this applies to all breaches – even if there was no impact on the rights and freedoms of individuals.
- Where the need to appoint an EU representative applies, choose wisely. If you are hit with a reportable breach, you only have a limited period to carry out your initial investigation and report it. Your representative is the liaison between you and the regulator – and needs to be completely familiar with the reporting procedure in the relevant country to avoid you straying towards non-compliance.
- Get to grips with your governance requirements. From privacy impact assessments through to breach logging, the regulator, through any investigation, will need to be satisfied that your entire approach to data security is “appropriate”. Good governance goes a long way in establishing this.
Failing to have adequate security measures in place or to respond to breaches in the right way can both lead to sanctions and a hefty reputational blow to your global brand.
The Privacy Compliance Hub provides a complete solution for keeping on top of your compliance obligations. Take a look at our demo to discover more – or contact us for a chat today.