While authorities may have been lenient in the first year of GDPR's introduction, organizations should now expect tougher penalties.
On 22 May 2019, the European Commission published an infographic on compliance with and enforcement of the GDPR since it came into effect in May 2018, and it is clear that a lot of work still needs to be done. In the last month, British Airways has been fined £183 million ($US229.6 million) for failing to protect people's personal data, Marriott International hotel group has been told to pay out just over £99 million ($US124 million) and credit reference agency Equifax has agreed a US$700 million penalty.
With GDPR aiming to give citizens back control of their personal data, organizations need to increase data security measures in order to comply, which may include: employing multiple encryption methods on-site and in the cloud; guaranteeing strong key management; and verifying the legitimacy of user identities.
But what should an organization do if – despite its best efforts – a data breach occurs?
1. Contain it
As soon as an organization is aware that a data breach has taken place, it should take steps to stop any further breach of this data.
2. Report it
Where a breach is likely to pose a risk to the rights and freedoms of those affected, organizations must report it to the relevant authority within 72 hours of becoming aware of it. Because a breach can have a range of effects on individuals, including emotional distress and physical and material damage, each breach should be assessed on a case-by-case basis.
3. Acknowledge it
If the breach is deemed to result in a high risk to the rights and freedoms of individuals, those directly affected must be informed as soon as possible, so they can take their own steps to mitigate the effects of the release of their personal data. According to the Information Commissioner's Office (ICO), 'high risk' means the threshold for informing affected individuals is higher than for notifying the authorities.
4. Explain it
When reporting a breach, organizations must provide information on its nature, including:
- The categories of the breach and the number of individuals and personal data records concerned
- The name and contact details of an individual who can provide more information – this is your data protection offer, if you have one
- An outline of the likely consequences
- A description of the measures already taken or due to be taken to deal with the breach.
5. Document it
Even if a breach doesn't need to be reported, organizations must keep a record of any breach that occurs.
By putting in place detection, investigation and internal reporting procedures, and having checklists for breach preparation and response, businesses will have the information required to make decisions about reporting – within and outside of the organization – and be able to respond to a data breach as set out by the GDPR regulations.