When a business or individual becomes aware of a data breach that involves a European citizen’s personal information, it must file a GDPR data breach notification or it can be liable for significant penalties. However, the notification only needs to be filed if the compromised data has the potential to harm a person’s rights and freedoms.
Although the GDPR was enacted in Europe, the regulation applies to businesses in other countries that handle data belonging to European citizens.
Why and when was the GDPR created?
In 2012, the European Commission laid down plans to reform data protection in the European Union. The current European data privacy laws couldn’t keep pace with sophisticated cybercrime. The proposals eventually became the General Data Protection Regulation (GDPR).
The GDPR was adopted on April 14, 2016, and became fully enforceable beginning May 25, 2018. The GDPR is now central to Europe’s cybersecurity laws.
What does the General Data Protection Regulation (GDPR) require?
The GDPR covers more than protection of data from data breaches. It also contains a bundle of data privacy provisions that apply to European citizens, including:
- Article 12 – Transparency and communication requirements. All businesses/individuals are required to explain how data is processed using “a concise, transparent, intelligible and easily accessible form, using clear and plain language.” This article also requires businesses/individuals to make it easy for people to submit requests to erase data.
- Articles 13 & 14 – Communicating specific information when collecting data. At the time data is collected, users must be given specific information.
- Article 15 – Right to access data. European citizens have the right to access their personal data when it’s stored by any company or organization online. They also have the right to know how long their data will be held.
- Article 16 – Data accuracy. European citizens have the right to correct inaccurate or incomplete data held by any organization.
- Article 17 – Right to erase data. European citizens have the right to have their personal data erased upon request.
- Article 17 – Right to restrict data. European citizens can request that a company alter how it processes their data. For instance, individuals may request that you remove their data from a website or other database if that data is inaccurate or no longer being used for the original purpose it was intended.
These are just some of the rights to data privacy covered by the GDPR.
GDPR requires companies to report data breaches
Under the GDPR, all businesses are required to report a data breach that involves personal information within 72 hours of becoming aware of the breach. The incident must be reported to the relevant supervisory authority.
Most breaches should be reported to organizations such as the ICO. However, there are exceptions.
A data breach doesn’t have to be reported if it is “unlikely to result in a risk to the rights and freedoms of natural persons.” Unfortunately, this status can be subjectively assessed and inadequate when performed by company officials, which results in unreported breaches.
A GDPR data breach notification must include the following details:
- A description of the data breach that includes the categories of people affected
- The estimated number of individuals affected
- The estimated number of data records affected
- The name and contact information of your company’s data protection officer or point of contact to discuss the breach further
- A description of likely consequences that may result from the breach
- A description of actions that have been or will be taken to mitigate the damage and handle the problem
Thus far, several hundred GDPR enforcements and fines have occurred, including several large corporations. For instance, the UK’s ICO fined British Airways £183 million for a GDPR breach that leaked data from 500,000 users.
How can businesses comply with GDPR?
Regardless of where your business is located, you have to be GDPR-compliant. If you hold data on just one European citizen, you’re bound by GDPR. To ensure your business gets and remains compliant, it’s best to have a GDPR audit performed by a professional.
In addition to a professional GDPR audit, you’ll also need a third-party vendor audit. Under GDPR, you’re responsible for how third parties process your customer data.
This means if you use non-proprietary software to process payments, manage memberships, and collect email addresses, those companies need to be GDPR compliant, or your company could be held responsible in the event of a data breach.
Need a third-party vendor compliance audit? Panorays can help
If you’re not absolutely certain your third-party vendors are GDPR compliant, Panorays can help. We provide third-party security management to help determine whether a vendor is compliant with the regulations your business is required to adhere to.
If an audit determines a vendor is not compliant, we’ll provide actionable insights your vendor can take to remediate all compliance gaps. We want to work with you and your vendors to make sure none of you gets hit with an unexpected fine for a GDPR violation.
Learn more about the important questions to ask your third parties about their GDPR readiness, or contact us to learn how we can help reduce your risk of liability under the GDPR.
