Security is a critical piece of the data protection jigsaw. Clear comprehensive privacy notices, rights to access and port data, and the protections offered by the principle of purpose limitation and restrictions on data transfers have little value to consumers if their data is not secure. Lack of consumer confidence has been identified as a key risk for the development of the digital single market, and a series of high profile breaches has exacerbated the situation. So it was inevitable that data protection reform would need to demonstrate that regulators were serious about data security and the Regulation does this by introducing three critical changes:
- Obligations to have appropriate security in place will apply directly to data processors for the first time.
- There will be mandatory reporting of data breaches to data protection authorities.
- There will also be mandatory reporting of data breaches to data subjects in certain situations.
The obligation to have appropriate security
At the moment data controllers are under an obligation to have in place appropriate technical and organisational measures to protect the personal data which they process, and to impose the same obligation in their contracts with service providers. Under the Regulation this obligation is extended to processors. This is sensible in a world where service providers may have complex sub-contracting arrangements in place already, particularly in the cloud services environment, and tell customers that it is not practical for them to seek to amend contracts relating to longstanding arrangements. Under the Regulation any service provider wanting to do business with European customers is going to have to ensure that all its arrangements meet European standards because it will be legally obliged to do so. However this may be challenging. The security measures must take into account the nature of the personal data to be protected, the state of the art and the costs of their implementation. Many hosting providers have no visibility of the data which they host so they will be unable to assess the nature of the risk. This means they may have to place obligations on their customers to assess, at a minimum, the level of security which they require.
Another change the Regulation makes is that it is more prescriptive about what areas security measures should cover, saying that where appropriate they should include:
- Pseudonymisation and encryption of personal data
- The ability to ensure on-going confidentiality, integrity, availability and resilience of systems and services processing personal data
- The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Companies should note the second and third bullet points – they mean that “security” as it is understood by the Regulation is not just about external threats, but also encompasses business continuity issues.
Notification of breaches to DPAs
As was widely expected, the Regulation introduces mandatory reporting of data breaches to the relevant DPA, but fortunately not within the 24 hour time period originally proposed by the Commission. Instead controllers must report breaches without undue delay and where feasible within 72 hours of having become aware of it. If the notification is not made within 72 hours, the notification must be accompanied by a reasoned justification. Processors are required to notify the data controller of breaches. Another aspect of the original notification proposal which caused significant concern was that there was no materiality threshold, meaning that DPAs were likely to be overwhelmed with fairly insignificant reports. The final version says that it is not necessary to report a breach if it is “unlikely to result in a risk for the rights and freedoms of individuals”. This is an improvement, but very few breaches will represent no risk at all to individuals, so we will need to wait for guidance on how DPAs intend to interpret this threshold.
Where a notification is required, it should include:
a) A description of the nature of the breach, including the categories and number of data subjects concerned and the categories and number of data records concerned
b) The identity of the data protection officer or other contact for more information
c) A description of the likely consequences of the breach
d) A description of the measures taken or proposed to be taken by the controller to address the breach including, where appropriate to mitigate its possible adverse effects.
All personal data breaches must be documented by data controllers to enable DPAs to verify compliance. The documentation should include the facts surrounding the breach, its effect, and the remedial action taken.
Many organisations already have data breach handling processes in place, but it is likely that these will need review to ensure they meet the new requirements of the Regulation. Where companies are already considering how to manage their cybersecurity risk more generally, it may be advisable to combine the two workstreams to avoid confusing overlapping of processes.
Notification of breaches to data subjects
After notifying the DPA, the controller is also required to notify the data subject, where the breach is likely to “result in a high risk to the rights
and freedoms of individuals”. The notice must be in clear and plain language. It should describe the nature of the breach, its likely consequences and what the controller is doing to address the breach and mitigate its adverse effects. It should also include contact details of the data protection officer or other contact point where more information can be obtained.
Data subject notification will not be necessary if the controller has applied appropriate protection measures to the affected data, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption, or if it has subsequently taken measures which ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialise. If individual notifications would be a disproportionate effort, the controller can use some form of public communication instead provided that this will be equally effective in informing individuals. Importantly, DPAs have the power to overrule controllers and order them to issue a notice to data subjects if they disagree with a controller’s assessment of the risk.
What to do now
- Consider whether you as an organisation understand the relative sensitivity of the different data sets which you process
- Develop a plan for reviewing your security measures for appropriateness
- Review contracts with service providers to ensure they contain appropriate provisions.
- If you are a processor, consider whether you have visibility of the sensitivity of the data which you process or whether you need to amend customer contracts to address this.
- Review training provided to employees on data security.
- Develop a breach management procedure which includes clear reporting lines within the organisation to ensure there are no reporting delays
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.