The Ireland-based Data Protection Commission (DPC), the supervisory authority for the General Data Protection Regulation (GDPR), has released a guide to GDPR breach notifications to help controllers understand their obligations regarding notification and communication.
The DPC is responsible for upholding the right of individuals in the EU to have their personal data protected. In this position, the authority has issued a comprehensive guide answering key questions about what a data controller should do in case of a breach. The document outlines several scenarios but underscores that the primary responsibilities for any entity affected by the GDPR are:
- notification of any personal data breach to the DPC, unless they can demonstrate it is unlikely to pose a risk to data subjects;
- communication of that breach to data subjects, when the breach is likely to pose a serious risk to data subjects.
The DPC holds that “it is of utmost importance that controllers understand and comply with both of these obligations.”
What is a personal data breach?
One key aspect of a data breach is knowing that one has indeed occurred. To that end, data controllers are given the following definition of a personal data breach:
“A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The term ‘personal data’ means any information concerning or relating to an identified or identifiable individual.”
The types of incidents under this category can vary from lost data, destroyed data and corrupted data to illegitimately-disclosed information. Controllers should also be aware that a personal data breach can cover more than just ‘losing’ personal data. Accidents (such as sending an email to the wrong recipient) or deliberate acts (phishing attacks) can also constitute personal data breaches.
When to notify the DPC and those affected?
The guide outlines several conditions under which a data controller must or may not necessarily notify the DPC and / or the people affected that a breach has occurred. However, it all boils down to this:
- Controllers are absolutely obliged to notify the DPC and those affected unless they can demonstrate that the personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”
- A controller may not be required to communicate information relating to a data breach to subjects if:
a) the controller has implemented appropriate technical and organizational protection measures
b) the controller has taken subsequent measures that ensure the high risk to the rights and freedoms of data subjects is no longer likely to materialize
c) it would involve disproportionate effort
The guide continues with a list of what to include in communication to the DPC and data subjects. The Irish watchdog also explains that controllers are free to communicate a breach to data subjects when it may be in their interest or appropriate to do so, even when they are not legally obliged to.
‘Record relevant information’
The GDPR rulebook notably does not list technological requirements for entities covered by the law, nor does it make recommendations in this respect. However, it does imply that some technical measures must be adopted to comply with some of its requirements. Chief among those is the requirement to record relevant information for post-breach analysis:
“In order to comply with their obligations under the Article 5(2) principle of accountability as well as the requirement to record relevant information under Article 33(5), controllers should be able to demonstrate to the DPC when and how they became aware of a personal data breach. The DPC recommends that controllers, as part of their internal breach procedures, have a system in place for recording how and when they become aware of personal data breaches and how they assessed the potential risk posed by the breach,” the guide clarifies.
One way entities covered by the GDPR can fill this gap is to invest in solutions based on Network Traffic Analytics (NTA). Eric Ogren, an analyst with 451 Research, holds that the technology is fast becoming “the easiest-to-manage choice to detect infected devices, track account activity and catch data being staged for later exfiltration.”
Bitdefender Network Traffic Security Analytics (NTSA) detects attacks in transit, automates alert triage, and gives security operations centers context to facilitate incident response. NTSA uses a combination of machine learning and behavior analytics with insights from Bitdefender cloud threat intelligence sourced from 500 million sensors globally to detect threats for all entities, managed or unmanaged, for encrypted or un-encrypted network traffic.
For more information about Bitdefender’s offering, download our free whitepaper, “Combating Advanced Threats with Network Traffic Analytics.”