GDPR Security & Breaches: What You Must Know
According the 2017 Ponemon Cost of Data Breach Study, the global average cost of a data breach is $3.2 million. The good news: that cost is down 10% over previous years. The bad news: companies in the study have experienced larger breaches (an increase of 1.8% equating to 24,000 records per breach).
Per GDPR (General Data Protection Regulation) mandates, service providers are required to take appropriate and effective measures to safeguard consumers’ personal data. If a breach occurs, the organization must notify both the Information Commissioner’s Office (ICO) AND the customers (should the breach be likely to adversely affect consumer privacy).
So, how does GDPR define security and breaches? What do organizations need to do, and how are organizations held accountable? Let’s review these in detail:
- Security: Service providers must take appropriate measures to safeguard the security of your service and inform customers of potential security risks. This includes instituting processes for authorized access, secure data storage and transmission, and implementing security policies commensurate to the levels of data used in providing the service.
Data controllers should collaborate with network providers to ensure reasonable cooperation and protection of the data. Your company must also inform customers regarding the security risks incurred in providing their data, specifically regarding: 1) the nature of the risk, 2) the measures consumers take to safeguard against the risk; and 3) the (nominal) costs of taking those measures.
- Breaches: Personal data breaches are any security breach “leading to the accidental or unlawful” access or action affecting consumers’ personal data. This may affect the accuracy, storage, analysis, or transmission of the data and can open the consumer to significant risk.
Should a breach occur, your data protection officer (DPO) must contact the ICO, determine whether they must notify consumers, and record each breach in a specified “breach log.” The ICO notification identifies specifics of the breach (dates and times of breach and detection; information about the type of breach and the personal data affected).
DPOs should also include as many details as possible in the log regarding the effects and the efforts taken to mitigate them. If you decide to contact your customers, DPOs must include details including: estimated date of breach, incident summary, likely effect upon data and the individual, and measures taken to mitigate these effects.
And The Ugly
So, what happens if you don’t report these breaches? Failure to submit this information may incur a £1,000 (approximately $1,400) fine per breach incident. This is on top of other fines related to the severity of the breach and the determination of how the organization managed the situation.
And The Good, Again
At the end of the day, the GDPR codifies and standardizes an approach to safeguard consumers’ personal data. Each organization is responsible for the data it requests to serve its customer base. These definitions, procedures, and penalties are in place to protect businesses (lower costs, better reputation) and individuals (data rights and security). Better organizations, better processes, better consumer protection. It’s a win-win-win scenario!
If you have additional questions regarding these concepts, FileFacets can help you discover the answers for your organization. FileFacets provides the platform and methodology to help businesses comply with the EU’s GDPR. With years of experience in information governance, FileFacets provides the tools for acquiring data, and identifying and processing personal data from multiple sources.