In this episode, Jonathan Armstrong and I discuss the backbone of the new General Data Protection Regulation (GDPR), which is data security and the ancillary topic of responding to data breaches. GDPR introduces significant changes on the mandatory reporting of data breaches, including both a requirement for reporting to the relevant regulator(s) and communication to those affected by any data breach. As noted in Cordery’s GDPR FAQ’s,“In this context a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Data security is enshrined GDPR Chapter 4, Article 32,which reads:
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Armstrong believes that most companies understand the need for a technological solution for data protection. Moreover, they will take appropriate technical measures to protect their data. However, he believes they miss what is literally right in front of them, which is paper data. He believes most organizations are actually worse at securing hardcopy data as opposed to electronic data. This comes from printing out too much material, sharing with customers or others who may not keep it secure and then not keeping it secure. This could be through either losing data by leaving materials laying around and forgetting it; to inappropriate access by having printed materials photographed by someone armed only with an iPhone.
Some of the data security protections a company can engage in are really the most basic security measures such as putting padlocks on backpacks used to transport documents. However, it is really just common sense. Of course, reminding people not to leave papers (or iPads, iPhones and laptops) in taxis and at airports is always appropriate. The bottom line under GDPR is that you have to keep data secure but if you fail to do so, there are serious potential consequences.
In the area of data breaches, a personal data breach means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Data breaches, including what action has been done to mitigate them, will have to be reported, as defined in the conditions set out in the new rules, to the relevant data protection regulator without delay and, “where feasible”, no later than 72 hours after a data controller has become aware of the breach, further a reasoned justification must be provided where reporting is not made within the 72-hour period. Armstrong believes regulators will have “some rigidity” on this point and you should remember to report to the regulators first, before you notify the affected individuals.
He also believes that data breach reporting is made more complicated by the fact that some countries (including Austria, Germany and the Netherlands) already have their own data breach reporting obligations. Further, data breach reporting may be required under other rules and regulations, particularly in the financial and health sectors. Armstrong believes that regulators may be sympathetic to you not having to comply with the Article 34 obligation to tell effected individuals in some cases. However, the critical thing is having your procedures in place to detect a data breach or the suspicion of a data breach.
Armstrong analogized that it should “work a little bit like a fire drill. You have to say to all of your employees, you know, if you smell smoke, raise the alarm and get out of the building. It isn’t the employee’s job to work out how big the fire is, where the fire is, which type of fire extinguisher to use on it. My job is to raise the alarm and evacuate. Then you need a small team of people, maybe 10 people, who are going to be your first responders in the data breach and need to be trained in getting to the heart of the data breach very quickly using technical expertise to work out the potential liability to individuals. They need more detailed training, but the key thing is to keep it simple for the general employee population.” What you must avoid is a culture of silence.
However, even more than a culture of silence you must work to defang any culture of blame, as it is incumbent to recall you only have 72 hours to report to regulators. You can attempt to ameliorate this very normal tension in an organization by such disparate groups as IT, legal, PR and senior management by planning. Armstrong said, “You must sort the politics in advance. I’m a great fan of rehearsing, rehearsing data breaches in environments that you can put people in a rehearsal under real pressure, use real life scenarios, make them do dummy press releases. We have a data breach academy where they have to do a live 6:00 news broadcast with a genuine BBC interviewer who interviews them as if it was for real. There is no substitute for experience like that. Our experience tells us that actually people who’ve done a rehearsal, are better at handling a breach when it comes around for real.”