Most of us don’t pay enough attention to safety of personal data we keep on our servers. It is only when accidents happen that we regret our inaction. Of course, we are talking about data breaches that can prove to be much more than an annoyance with huge fines and damage to reputation.
These hacks happen regularly and often. Banks get hacked (JP Morgan Chase, 2015), social networks (MySpace), dating sites (Ashely Madison), and video sharing sites (Dailymotion) are just a handful of examples. Even celebrities aren’t immune, as evidenced by the very infamous and highly publicised iCloud hack in 2014. It affected several A-list stars including Kate Upton, Jennifer Lawrence and Kaley Cuoco, among others.
It’s not only high profile online services that are affected. Small-scale local companies can and do suffer breaches, such as when a disgruntled employee steals all customer data. Under the GDPR, this is also treated as a breach.
But it’s not all so hopeless. Since data breaches occur so often, the GDPR has taken some preventative and emergency measures that can help all parties react quickly. It will help them salvage whatever’s possible and minimize the damages.
Reporting: Do Users Matter?
Companies are required to report risky data breaches to the supervisory authorities (every country will get one central regulatory body for all matters regarding privacy) within 72 hours. Supervisory authorities can then fine them and order them to take additional measures to rectify the situation.
An interesting provision within the GDPR is that you must directly contact the affected individuals if a high-risk data breach occurs. You must do it as soon as possible, presumably to prepare them to act quickly before the criminals have any chance of profiting off their stolen data (changing their passwords or cancelling their credit cards, for example).
Yes, in most cases…
There are a few caveats. The provision has been watered down a bit. Namely, if the number of users is so large that contacting them all personally would be a huge burden (time or money-wise), then an equivalent manner of notifying them can also be appropriate. This includes press releases, public interviews, notices when logging in to your website, mass e-mails etc. You must make a reasonable effort to let your customers know something’s gone awry.
The notification must be written in plain language. It must not try to obfuscate or hide certain facts about the breach, no matter how unpalatable they may be. You also must notify individuals of your actions to rectify the situation. Your company must be honest, or else you face fines from the supervisory authorities.
The good news for the affected companies is that, they have an obligation of notifying their users only if a high-risk breach has occurred. Presumably this is due to a cost-benefit calculation by the lawmaker, but from the perspective of the end-user, it is a tad disturbing that a company could lose their data and not have to notify them about the fact.
Of course, such data must be of trivial significance and its loss must not be more than a minor annoyance to your users. Breaches that could have high risks to the freedoms and safety of the individuals must be reported, but the GDPR doesn’t spell out what criteria should be used for determining that. In other words, companies will be left to their own devices; some might not be skilful enough to properly evaluate the situation while others could be downright malicious. If you’re in doubt, you should hire a DPO who will be able to assist you.
You also don’t have to notify users if the data was encrypted and pseudonymised, as it is understood such data is useless to the attackers. Thus the above methods are a great way to increase data security across the board with a minimal investment.
Still, we expect most companies to behave and actually overreport the occurrence of breaches. The threat of fines is simply too severe to ignore. The fines can range up to EUR 20 million, in some cases even more.
The GDPR cannot change the underlying risks and threats of data storage and processing. It will, however, likely make data more secure by forcing companies to adapt. You will have to adopt better techniques of managing the users’ data in a safer and more effective way.
Good data minimisation strategies also work as well. Companies should educate their users not to share what they do not feel comfortable sharing. This will temper expectations on both sides and avoid a huge backlash if a data breach occurs.