SlideShare a Scribd company logo

GDPR: Data Breach Notification and Communications

Download as PPTX, PDF
Charlie Pownall, profile picture
Charlie Pownall

The document outlines the GDPR's requirements for data breach notifications and personal data protection, effective from May 25, 2018. It mandates organizations to report breaches to regulators within 72 hours and specifies when individuals must be informed, emphasizing the need for clear communication about the breach's nature and potential consequences. The GDPR sets significant penalties for non-compliance and strengthens the rights of individuals regarding their personal data.

Business
Related topics:
Incident ResponseData Breach InsightsData Protection Practices
1 of 23
Downloaded 49 times
1
2
Most read
3
4
5
6
Most read
7
Most read
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
CPC& GDPR: DATA BREACH NOTIFICATION & COMMUNICATIONS AN INTRODUCTION © Charlie Pownall/CPC & Associates 2017. All rights reserved January 2018
2 Overview • Governs the way organisations across the EU process, store, and protect customers’ personal data – Takes effect on May 25, 2018 • Replaces national legislation, complementary to other EU legislation – NISD/Cybersecurity Directive, 2016 (for Essential Service/Digital Service Providers) – Privacy and Electronic Communications Directive, 2003 – E-Privacy Directive, 2018 (digital marketing, cookies) • Broad definition of personal data – PII: name, date of birth, gender, height, weight, telephone number, postal address, email address, passport number, social security number, driving license number, IP address, location data, cookie data, RFID tags – Sensitive or SPII: medical, genetic, biometric, race, ethnicity, political or religious beliefs, sexual preference CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
3 Overview (2) • Companies must set ‘reasonable’ levels of protection of personal data – Data Protection Officers – Data Protection Impact Assessments – Codes of Conduct – Anonymisation, pseudonymisation, encryption • Strengthens personal rights of EU citizens, including: – Data access – Rectification – Erasure (cf. Right to be Forgotten - pdf) – Portability – Objection – etc CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
4 Overview (3) • Requires organisations to notify a breach – To regulator: where it is likely to result in a risk to the rights and freedoms of individuals – To affected individuals: where it is likely to result in a high risk to their rights and freedoms • Applies to all organisations across operating in and/or collecting personal data in the EU • Tiered fines up to EUR 10m or 2% of annual turnover • Regarded as international gold standard CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
5 Transparency obligations Data protection-related information and communications must be: – Concise, transparent, intelligible and easily transparent – Easily accessible – Clear and in plan language – In writing or by other means – May be provided orally – Free of charge CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
6 Data breach notification – regulator • Mandatory notification within 72 hours of discovery of a breach – To the relevant competent supervisory authority/regulator – ‘Without undue delay’ for data processors – Reasons for any delay beyond 72 hours must be explained • If the breach poses a likely risk/high risk to the rights and freedoms of individuals – Physical, material or non-material damage – Loss of control over personal data, limitation of rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy – Other significant economic or social disadvantage to impacted individuals CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
7 Data breach notification (2) • ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ * • Types of personal data breaches CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Breach type Description Confidentiality Unauthorised or accidental disclosure of, or access to, personal data Availability Accidental or unauthorised loss of access to, or destruction of, personal data Integrity Unauthorised or accidental alteration of personal data * Source: GDPR Article 4(12)
8 Data breach notification requirements Notification to supervisory authority should contain: • Categories and approximate number of individuals involved • Categories and approximate number of personal records involved • Name and contact details of Data Protection Officer or other contact point • Description of the likely consequences of the breach • Description of the measures taken, or proposed to be taken, to address the personal data breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
9 Data breach notification - exceptions • If the personal data is unintelligible and where a copy or back-up exists • Where personal data is already publicly available • If notification is considered ‘disproportionate’ to the actual or potential damage CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
10 Data breach notification - grey areas CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Timing • Level of risk • Loss of data availability
11 Timing CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised – Scenario 1: In the case of a loss of a CD with unencrypted data it is often not possible to ascertain whether unauthorised persons gained access. Nevertheless, such a case has to be notified as there is a reasonable degree of certainty that a breach has occurred; the controller would become “aware” when it realised the CD had been lost. – Scenario 2: A third-party informs a controller that they have accidentally received the personal data of one of its customers and provides evidence of the unauthorised disclosure – Scenario 3: A controller detects that there has been a possible intrusion into its network. The controller checks its systems to establish whether personal data held on that system has been compromised and confirms this is the case – Scenario 4: A cybercriminal contacts the controller after having hacked its system in order to ask for a ransom.
12 Timing (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Delayed notification – Reason for delay must be explained if not made within 72 hours – Scenario: where a controller experiences multiple, similar confidentiality breaches over a short period of time, leading to a ‘bundled notification’ • Breaches in more than one EU state – Controller should notify the relevant lead supervisory authority – Example: Facebook to notify the supervisory authority in the Republic of Ireland of breaches impacting personal data across multiple EU states • For data processors – Recommends immediate notification by processor to data controller – The controller is considered aware once the processor has become aware
13 Timing (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Customer/affected individuals notification – Is required ‘in certain cases’ – ie. if special categories of personal data are disclosed online and/or where there is a high risk to rights and freedoms of the individuals impacted – The principal objective is ‘to provide specific information about steps [affected individuals] can take to protect themselves’ • Contacting individuals – Information should be communicated directly • Email, SMS, direct message, prominent website banners or notification, postal communications, print media advertisements – Press release or corporate blog post is considered inadequate – Should not accompany other information (newsletters, etc) – Should be in the relevant local language – Supervisory authority can be contacted for advice on appropriate channels and formats
14 Data breach notification information Notification to affected individuals should contain at least the following information: • Description of the nature of the breach • Name and contact details of data protection officer or other contact point • Description of the likely consequences of the breach • Description of measures taken, or proposed to be taken, to address the breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
15 Level of risk CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Determination of level of risk to the rights and freedoms of individuals – Risk exists: identity theft or fraud, financial loss, damage to reputation, discrimination, emotional distress, etc – High risk exists: racial or ethnic data, political opinion, religion or philosophical beliefs, trade union membership, genetic data, health, sex life, criminal convictions and offences • Type of breach – eg. Confidentiality vs availability breach • Nature, sensitivity and volume of personal data – Isolated data may cause harm, but different kinds of data can be used together for data theft, fraud, etc – Data indicating customers are on holiday
16 Level of risk (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Ease of identification of individuals – Ease with which individuals can be identified directly or indirectly by matching data with other information – Identification may depend on the context and type of breach • Severity of consequences to individuals – Motivation of and trust in people or organisation(s) finding and/or using the data – Likely impact over time for individuals • Special characteristics of the individual – Children and vulnerable individuals are at greater risk • Special characteristics of the data controller – eg. medical organisations
17 Loss of availability CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Permanent vs temporary loss of availability – Where data has been deleted either accidentally or by an unauthorised person, or, in the example of securely encrypted data, the decryption key has been lost. In the event that the controller cannot restore access to the data, for example, from a backup, then this is regarded as a permanent loss of availability. – Significant disruption to the normal service of an organisation, for example, experiencing a power failure or denial of service attack, rendering personal data unavailable, either permanently, or temporarily. • Notification of temporary breaches – If critical medical data about (hospital) patients are unavailable, even temporarily, this could present a risk to individuals’ rights and freedoms; for example, operations may be cancelled. – Conversely, in the case of a media company’s systems being unavailable for several hours (e.g. due to a power outage), if that company is then prevented from sending newsletters to its subscribers, this is unlikely to present a risk to individuals’ rights and freedoms.
18 Loss of availability (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Other impacts – Infection by ransomware (malicious software which encrypts the controller’s data until a ransom is paid) could lead to a temporary loss of availability if the data can be restored from backup. However, a network intrusion still occurred, and notification could be required if the incident is qualified as confidentiality breach (i.e. personal data is accessed by the attacker) and this presents a risk to the rights and freedoms of individuals.
1. Understand GDPR scope and principles, and notification requirements, grey areas and best practices – How GDPR relates to other EU and national data protection laws and obligations – Legal updates, relevant European Commission/UK ICO GDPR working parties 2. Educate Leadership, Legal, IT, security and other stakeholders – Customer and stakeholder privacy needs and expectations – Cyber/data breach reputation trends, risks and impact – Role of communications in data breach preparation and response 3. Ensure PR/communications is formally represented on relevant company committees and teams – GDPR, Data breach, Cybersecurity, etc 19 For PR/communications teams CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
4. Work closely with Legal, IT and security to develop or update company cyber/data breach response plans – Assess and prioritise different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted – Develop communication plans for different types of data breach, including key messages, priority and secondary audiences, order and timing (regulators, customers, employees, investors, etc), format, channels – Consider the reputational risks of not disclosing different data breach risks, taking into account: • The risks of actual or perceived cover-up • Likely negative customer and stakeholder reaction • Possibility of regulator investigation – Ensure your response plans are comprehensive, clear, practical, and fit for purpose 20 For PR/communications teams (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
21 For PR/communications teams (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved 5. Test and update your plans regularly – Protocols and processes – Messaging and content – Digital/social media dialogue and feedback – Leadership and team dynamics.
22 Useful resources CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Documents • General Data Protection Regulation • Article 29 Working Party - Guidelines on Data Breach Notification • Article 29 Working Party - Guidelines on Data Protection Impact Assessment • ENISA - Data Breach Severity Methodology Organisations • European Commission • UK ICO • The Law Society • CIPR • IAPP
23 Further Information +44 20 3856 3599 +44 (0)7973 379 989 cp@charliepownall.com charliepownall.com © Charlie Pownall/CPC & Associates 2017. All rights reserved CPC&

More Related Content

PDF
DPDP Act 2023.pdf
Priyanka Aash
 
PPTX
Presentation on GDPR
DipanjanDey12
 
PPTX
GDPR Introduction and overview
Jane Lambert
 
PDF
Ley de Protección de Datos Personales
Servicios Web CTIC-UNI
 
PPTX
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
PPT
Data Protection (Download for slideshow)
Andrew Sharpe
 
PPS
Introduction to Data Protection and Information Security
Jisc Scotland
 
PDF
The Definitive Guide to Data Loss Prevention
Digital Guardian
 
DPDP Act 2023.pdf
Priyanka Aash
 
Presentation on GDPR
DipanjanDey12
 
GDPR Introduction and overview
Jane Lambert
 
Ley de Protección de Datos Personales
Servicios Web CTIC-UNI
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
Data Protection (Download for slideshow)
Andrew Sharpe
 
Introduction to Data Protection and Information Security
Jisc Scotland
 
The Definitive Guide to Data Loss Prevention
Digital Guardian
 

What's hot (20)

PPTX
Big data introduction
vikas samant
 
PDF
Tietosuoja: rekisterinpitäjän vastuut ja velvollisuudet
Harto Pönkä
 
PDF
03 preprocessing
JoonyoungJayGwak
 
PPT
Data Protection Act
mrmwood
 
PDF
Introduction to data protection
Rachel Aldighieri
 
PPTX
Data Privacy: What you need to know about privacy, from compliance to ethics
AT Internet
 
PDF
Data Protection and Privacy
Vertex Holdings
 
PDF
Data Protection Act 1998 (amended 2000)
The Pathway Group
 
PDF
Personal Data Protection Singapore - Pdpc corporate-brochure
Jean Luc Creppy
 
PPTX
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
PPSX
Cyber crimes (By Mohammad Ahmed)
Mohammad Ahmed
 
PPTX
Peligros y Estafas en Internet
Santiago de la Flor Cejudo
 
PPT
Data Privacy in India and data theft
Amber Gupta
 
PPTX
Rodo podstawy przetwarzania_danych_ dla pracownikow
Szymon Konkol - Publikacje Cyfrowe
 
PPTX
Privacy issues and internet privacy
vinyas87
 
PPT
Data Mining: Concepts and Techniques (3rd ed.) - Chapter 3 preprocessing
Salah Amean
 
PPTX
GDPR Presentation
CILIP Ireland
 
PPTX
Fraud Detection in Insurance with Machine Learning for WARTA - Artur Suchwalko
Institute of Contemporary Sciences
 
PDF
Data Processing - data privacy and sensitive data
OpenAIRE
 
PDF
Managing Personally Identifiable Information (PII)
KP Naidu
 
Big data introduction
vikas samant
 
Tietosuoja: rekisterinpitäjän vastuut ja velvollisuudet
Harto Pönkä
 
03 preprocessing
JoonyoungJayGwak
 
Data Protection Act
mrmwood
 
Introduction to data protection
Rachel Aldighieri
 
Data Privacy: What you need to know about privacy, from compliance to ethics
AT Internet
 
Data Protection and Privacy
Vertex Holdings
 
Data Protection Act 1998 (amended 2000)
The Pathway Group
 
Personal Data Protection Singapore - Pdpc corporate-brochure
Jean Luc Creppy
 
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
Cyber crimes (By Mohammad Ahmed)
Mohammad Ahmed
 
Peligros y Estafas en Internet
Santiago de la Flor Cejudo
 
Data Privacy in India and data theft
Amber Gupta
 
Rodo podstawy przetwarzania_danych_ dla pracownikow
Szymon Konkol - Publikacje Cyfrowe
 
Privacy issues and internet privacy
vinyas87
 
Data Mining: Concepts and Techniques (3rd ed.) - Chapter 3 preprocessing
Salah Amean
 
GDPR Presentation
CILIP Ireland
 
Fraud Detection in Insurance with Machine Learning for WARTA - Artur Suchwalko
Institute of Contemporary Sciences
 
Data Processing - data privacy and sensitive data
OpenAIRE
 
Managing Personally Identifiable Information (PII)
KP Naidu
 
Ad

Similar to GDPR: Data Breach Notification and Communications (20)

PPTX
Getting Ready for GDPR
Jessvin Thomas
 
PDF
Getting Ready for GDPR
Jessvin Thomas
 
PDF
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Events2018
 
PPT
Data protection For CYP Organisations
Cliff Ashcroft
 
PPTX
General Data Protection Regulation (GDPR)
ControlCase
 
PPTX
General Data Protection Regulation (GDPR)
Kimberly Simon MBA
 
PDF
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec
 
PDF
Personal Data Breach Notification
TALOSCommunications
 
PDF
Mandatory data breach notification for Australia
Patrick Dwyer
 
PDF
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
Black Duck by Synopsys
 
PDF
Administrative and public law seminar
Browne Jacobson LLP
 
PDF
Flight East 2018 Presentation–Data Breaches and the Law
Synopsys Software Integrity Group
 
PPTX
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
IT Governance Ltd
 
PPT
Cyber-Security: A Shared Responsibility -- November 2013
Amy Purcell
 
PDF
Splunk: How Machine Data Supports GDPR Compliance
MarketingArrowECS_CZ
 
PPTX
Data Security Breach – knowing the risks and protecting your business
Eversheds Sutherland
 
PPTX
An Essential Guide to EU GDPR
Tripwire
 
PPTX
Data Privacy for Information Security Professionals Part 1
Dione McBride, CISSP, CIPP/E
 
PDF
Introduction to US Privacy and Data Security: Regulations and Requirements
Financial Poise
 
PPTX
3A – DATA PROTECTION: ADVICE
CFG
 
Getting Ready for GDPR
Jessvin Thomas
 
Getting Ready for GDPR
Jessvin Thomas
 
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Events2018
 
Data protection For CYP Organisations
Cliff Ashcroft
 
General Data Protection Regulation (GDPR)
ControlCase
 
General Data Protection Regulation (GDPR)
Kimberly Simon MBA
 
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec
 
Personal Data Breach Notification
TALOSCommunications
 
Mandatory data breach notification for Australia
Patrick Dwyer
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
Black Duck by Synopsys
 
Administrative and public law seminar
Browne Jacobson LLP
 
Flight East 2018 Presentation–Data Breaches and the Law
Synopsys Software Integrity Group
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
IT Governance Ltd
 
Cyber-Security: A Shared Responsibility -- November 2013
Amy Purcell
 
Splunk: How Machine Data Supports GDPR Compliance
MarketingArrowECS_CZ
 
Data Security Breach – knowing the risks and protecting your business
Eversheds Sutherland
 
An Essential Guide to EU GDPR
Tripwire
 
Data Privacy for Information Security Professionals Part 1
Dione McBride, CISSP, CIPP/E
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Financial Poise
 
3A – DATA PROTECTION: ADVICE
CFG
 
Ad

More from Charlie Pownall (20)

PPTX
Transparent AI
Charlie Pownall
 
PPTX
TalkTalk Data Breach Case Study
Charlie Pownall
 
PDF
Maersk Notpetya Crisis Response Case Study
Charlie Pownall
 
PDF
Risky Business: The Whys and Hows of Effective Reputational Risk Management
Charlie Pownall
 
PPTX
How to handle data breach incidents under GDPR
Charlie Pownall
 
PPTX
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital Age
Charlie Pownall
 
PPTX
Boxing Clever: How to Safeguard your Company's Reputation Online
Charlie Pownall
 
PPTX
Building Trust and a Healthy Reputation from the Get-go
Charlie Pownall
 
PPTX
An Introduction to The New Crisis Communications
Charlie Pownall
 
PPTX
Managing Online Reputation. How to Protect Your Company on Social Media
Charlie Pownall
 
PPTX
No Time to Think. How to Respond to Negative Situations Using Social Media
Charlie Pownall
 
PPTX
Issues Management In The Digital Age
Charlie Pownall
 
PPTX
Social Media for Crisis Communications
Charlie Pownall
 
PPTX
Online Community Engagement For Government
Charlie Pownall
 
PPTX
How To Develop Social Media Strategy
Charlie Pownall
 
PPTX
Safeguarding Corporate Reputation In Social Media
Charlie Pownall
 
PPTX
Top Social Media #Fails in Asia - 2013
Charlie Pownall
 
PPTX
Social Media for Thought Leadership
Charlie Pownall
 
PPTX
How to Minimise Social Media Marketing Risks
Charlie Pownall
 
PPTX
Digital Influence: Communications Nirvana?
Charlie Pownall
 
Transparent AI
Charlie Pownall
 
TalkTalk Data Breach Case Study
Charlie Pownall
 
Maersk Notpetya Crisis Response Case Study
Charlie Pownall
 
Risky Business: The Whys and Hows of Effective Reputational Risk Management
Charlie Pownall
 
How to handle data breach incidents under GDPR
Charlie Pownall
 
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital Age
Charlie Pownall
 
Boxing Clever: How to Safeguard your Company's Reputation Online
Charlie Pownall
 
Building Trust and a Healthy Reputation from the Get-go
Charlie Pownall
 
An Introduction to The New Crisis Communications
Charlie Pownall
 
Managing Online Reputation. How to Protect Your Company on Social Media
Charlie Pownall
 
No Time to Think. How to Respond to Negative Situations Using Social Media
Charlie Pownall
 
Issues Management In The Digital Age
Charlie Pownall
 
Social Media for Crisis Communications
Charlie Pownall
 
Online Community Engagement For Government
Charlie Pownall
 
How To Develop Social Media Strategy
Charlie Pownall
 
Safeguarding Corporate Reputation In Social Media
Charlie Pownall
 
Top Social Media #Fails in Asia - 2013
Charlie Pownall
 
Social Media for Thought Leadership
Charlie Pownall
 
How to Minimise Social Media Marketing Risks
Charlie Pownall
 
Digital Influence: Communications Nirvana?
Charlie Pownall
 

Recently uploaded (20)

PDF
IFRS Notes in your pocket for study all the time
jjj81507
 
DOCX
Business Management - unit 1 and 2
anithak410
 
PDF
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
PDF
Business model innovation report 2022.pdf
pradvapal
 
PDF
Traveri Digital Marketing Seminar 2025 by Corey and Jessica Perlman
Corey Perlman, Social Media Speaker and Consultant
 
PDF
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
PDF
Training And Development of Employee .pdf
nivethavm864
 
PDF
Deliverable file - Regulatory guideline analysis.pdf
Quan Risk
 
PDF
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
PDF
How to Get Funding for Your Trucking Business
Jake Thornhill
 
PDF
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 
PPT
Chapter four Project-Preparation material
argachewbochena1
 
PDF
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
PPTX
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
PPTX
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
PDF
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
PPTX
The Marketing Journey - Tracey Phillips - Marketing Matters 7-2025.pptx
shannonzipoy2
 
PDF
A Brief Introduction About Julia Allison
Julia Allison
 
PDF
DOC-20250806-WA0002._20250806_112011_0000.pdf
dhanusriss08
 
PDF
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
IFRS Notes in your pocket for study all the time
jjj81507
 
Business Management - unit 1 and 2
anithak410
 
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
Business model innovation report 2022.pdf
pradvapal
 
Traveri Digital Marketing Seminar 2025 by Corey and Jessica Perlman
Corey Perlman, Social Media Speaker and Consultant
 
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
Training And Development of Employee .pdf
nivethavm864
 
Deliverable file - Regulatory guideline analysis.pdf
Quan Risk
 
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
How to Get Funding for Your Trucking Business
Jake Thornhill
 
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 
Chapter four Project-Preparation material
argachewbochena1
 
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
The Marketing Journey - Tracey Phillips - Marketing Matters 7-2025.pptx
shannonzipoy2
 
A Brief Introduction About Julia Allison
Julia Allison
 
DOC-20250806-WA0002._20250806_112011_0000.pdf
dhanusriss08
 
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 

GDPR: Data Breach Notification and Communications

  • 1. CPC& GDPR: DATA BREACH NOTIFICATION & COMMUNICATIONS AN INTRODUCTION © Charlie Pownall/CPC & Associates 2017. All rights reserved January 2018
  • 2. 2 Overview • Governs the way organisations across the EU process, store, and protect customers’ personal data – Takes effect on May 25, 2018 • Replaces national legislation, complementary to other EU legislation – NISD/Cybersecurity Directive, 2016 (for Essential Service/Digital Service Providers) – Privacy and Electronic Communications Directive, 2003 – E-Privacy Directive, 2018 (digital marketing, cookies) • Broad definition of personal data – PII: name, date of birth, gender, height, weight, telephone number, postal address, email address, passport number, social security number, driving license number, IP address, location data, cookie data, RFID tags – Sensitive or SPII: medical, genetic, biometric, race, ethnicity, political or religious beliefs, sexual preference CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 3. 3 Overview (2) • Companies must set ‘reasonable’ levels of protection of personal data – Data Protection Officers – Data Protection Impact Assessments – Codes of Conduct – Anonymisation, pseudonymisation, encryption • Strengthens personal rights of EU citizens, including: – Data access – Rectification – Erasure (cf. Right to be Forgotten - pdf) – Portability – Objection – etc CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 4. 4 Overview (3) • Requires organisations to notify a breach – To regulator: where it is likely to result in a risk to the rights and freedoms of individuals – To affected individuals: where it is likely to result in a high risk to their rights and freedoms • Applies to all organisations across operating in and/or collecting personal data in the EU • Tiered fines up to EUR 10m or 2% of annual turnover • Regarded as international gold standard CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 5. 5 Transparency obligations Data protection-related information and communications must be: – Concise, transparent, intelligible and easily transparent – Easily accessible – Clear and in plan language – In writing or by other means – May be provided orally – Free of charge CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 6. 6 Data breach notification – regulator • Mandatory notification within 72 hours of discovery of a breach – To the relevant competent supervisory authority/regulator – ‘Without undue delay’ for data processors – Reasons for any delay beyond 72 hours must be explained • If the breach poses a likely risk/high risk to the rights and freedoms of individuals – Physical, material or non-material damage – Loss of control over personal data, limitation of rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy – Other significant economic or social disadvantage to impacted individuals CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 7. 7 Data breach notification (2) • ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ * • Types of personal data breaches CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Breach type Description Confidentiality Unauthorised or accidental disclosure of, or access to, personal data Availability Accidental or unauthorised loss of access to, or destruction of, personal data Integrity Unauthorised or accidental alteration of personal data * Source: GDPR Article 4(12)
  • 8. 8 Data breach notification requirements Notification to supervisory authority should contain: • Categories and approximate number of individuals involved • Categories and approximate number of personal records involved • Name and contact details of Data Protection Officer or other contact point • Description of the likely consequences of the breach • Description of the measures taken, or proposed to be taken, to address the personal data breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 9. 9 Data breach notification - exceptions • If the personal data is unintelligible and where a copy or back-up exists • Where personal data is already publicly available • If notification is considered ‘disproportionate’ to the actual or potential damage CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 10. 10 Data breach notification - grey areas CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Timing • Level of risk • Loss of data availability
  • 11. 11 Timing CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised – Scenario 1: In the case of a loss of a CD with unencrypted data it is often not possible to ascertain whether unauthorised persons gained access. Nevertheless, such a case has to be notified as there is a reasonable degree of certainty that a breach has occurred; the controller would become “aware” when it realised the CD had been lost. – Scenario 2: A third-party informs a controller that they have accidentally received the personal data of one of its customers and provides evidence of the unauthorised disclosure – Scenario 3: A controller detects that there has been a possible intrusion into its network. The controller checks its systems to establish whether personal data held on that system has been compromised and confirms this is the case – Scenario 4: A cybercriminal contacts the controller after having hacked its system in order to ask for a ransom.
  • 12. 12 Timing (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Delayed notification – Reason for delay must be explained if not made within 72 hours – Scenario: where a controller experiences multiple, similar confidentiality breaches over a short period of time, leading to a ‘bundled notification’ • Breaches in more than one EU state – Controller should notify the relevant lead supervisory authority – Example: Facebook to notify the supervisory authority in the Republic of Ireland of breaches impacting personal data across multiple EU states • For data processors – Recommends immediate notification by processor to data controller – The controller is considered aware once the processor has become aware
  • 13. 13 Timing (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Customer/affected individuals notification – Is required ‘in certain cases’ – ie. if special categories of personal data are disclosed online and/or where there is a high risk to rights and freedoms of the individuals impacted – The principal objective is ‘to provide specific information about steps [affected individuals] can take to protect themselves’ • Contacting individuals – Information should be communicated directly • Email, SMS, direct message, prominent website banners or notification, postal communications, print media advertisements – Press release or corporate blog post is considered inadequate – Should not accompany other information (newsletters, etc) – Should be in the relevant local language – Supervisory authority can be contacted for advice on appropriate channels and formats
  • 14. 14 Data breach notification information Notification to affected individuals should contain at least the following information: • Description of the nature of the breach • Name and contact details of data protection officer or other contact point • Description of the likely consequences of the breach • Description of measures taken, or proposed to be taken, to address the breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 15. 15 Level of risk CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Determination of level of risk to the rights and freedoms of individuals – Risk exists: identity theft or fraud, financial loss, damage to reputation, discrimination, emotional distress, etc – High risk exists: racial or ethnic data, political opinion, religion or philosophical beliefs, trade union membership, genetic data, health, sex life, criminal convictions and offences • Type of breach – eg. Confidentiality vs availability breach • Nature, sensitivity and volume of personal data – Isolated data may cause harm, but different kinds of data can be used together for data theft, fraud, etc – Data indicating customers are on holiday
  • 16. 16 Level of risk (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Ease of identification of individuals – Ease with which individuals can be identified directly or indirectly by matching data with other information – Identification may depend on the context and type of breach • Severity of consequences to individuals – Motivation of and trust in people or organisation(s) finding and/or using the data – Likely impact over time for individuals • Special characteristics of the individual – Children and vulnerable individuals are at greater risk • Special characteristics of the data controller – eg. medical organisations
  • 17. 17 Loss of availability CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Permanent vs temporary loss of availability – Where data has been deleted either accidentally or by an unauthorised person, or, in the example of securely encrypted data, the decryption key has been lost. In the event that the controller cannot restore access to the data, for example, from a backup, then this is regarded as a permanent loss of availability. – Significant disruption to the normal service of an organisation, for example, experiencing a power failure or denial of service attack, rendering personal data unavailable, either permanently, or temporarily. • Notification of temporary breaches – If critical medical data about (hospital) patients are unavailable, even temporarily, this could present a risk to individuals’ rights and freedoms; for example, operations may be cancelled. – Conversely, in the case of a media company’s systems being unavailable for several hours (e.g. due to a power outage), if that company is then prevented from sending newsletters to its subscribers, this is unlikely to present a risk to individuals’ rights and freedoms.
  • 18. 18 Loss of availability (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Other impacts – Infection by ransomware (malicious software which encrypts the controller’s data until a ransom is paid) could lead to a temporary loss of availability if the data can be restored from backup. However, a network intrusion still occurred, and notification could be required if the incident is qualified as confidentiality breach (i.e. personal data is accessed by the attacker) and this presents a risk to the rights and freedoms of individuals.
  • 19. 1. Understand GDPR scope and principles, and notification requirements, grey areas and best practices – How GDPR relates to other EU and national data protection laws and obligations – Legal updates, relevant European Commission/UK ICO GDPR working parties 2. Educate Leadership, Legal, IT, security and other stakeholders – Customer and stakeholder privacy needs and expectations – Cyber/data breach reputation trends, risks and impact – Role of communications in data breach preparation and response 3. Ensure PR/communications is formally represented on relevant company committees and teams – GDPR, Data breach, Cybersecurity, etc 19 For PR/communications teams CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 20. 4. Work closely with Legal, IT and security to develop or update company cyber/data breach response plans – Assess and prioritise different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted – Develop communication plans for different types of data breach, including key messages, priority and secondary audiences, order and timing (regulators, customers, employees, investors, etc), format, channels – Consider the reputational risks of not disclosing different data breach risks, taking into account: • The risks of actual or perceived cover-up • Likely negative customer and stakeholder reaction • Possibility of regulator investigation – Ensure your response plans are comprehensive, clear, practical, and fit for purpose 20 For PR/communications teams (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 21. 21 For PR/communications teams (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved 5. Test and update your plans regularly – Protocols and processes – Messaging and content – Digital/social media dialogue and feedback – Leadership and team dynamics.
  • 22. 22 Useful resources CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Documents • General Data Protection Regulation • Article 29 Working Party - Guidelines on Data Breach Notification • Article 29 Working Party - Guidelines on Data Protection Impact Assessment • ENISA - Data Breach Severity Methodology Organisations • European Commission • UK ICO • The Law Society • CIPR • IAPP
  • 23. 23 Further Information +44 20 3856 3599 +44 (0)7973 379 989 cp@charliepownall.com charliepownall.com © Charlie Pownall/CPC & Associates 2017. All rights reserved CPC&