-->

GDPR — Data breach: How to avoid the pitfalls

Per­son­al data breach con­tracts and cloud ser­vices raise many ques­tions with regards to GDPR, even though they only make up a frac­tion of the aspects need­ed to be con­sid­ered in the data pro­tec­tion reg­u­la­tion. In this blog we will go through a few points on these sub­jects that have raised the most ques­tions with­in our customers.

After the dis­cov­ery of a data breach or with a jus­ti­fi­able rea­son to sus­pect a data breach, orga­ni­za­tions are legal­ly required to inform a super­vi­so­ry author­i­ty with­in the fol­low­ing 72 hours. If the data breach is like­ly to lead to a seri­ous risk of com­pro­mis­ing data sub­jects’ fun­da­men­tal rights and free­doms, the data sub­jects must be informed and direct­ed to min­i­mize damage.

The con­ceal­ment or neg­li­gence of dis­cov­er­ing the data breach results in the right for author­i­ties to impose admin­is­tra­tive penal­ties as stat­ed in the reg­u­la­tion. In prac­tice, the penal­ties are imposed through fines that take the cir­cum­stances of each data breach into con­sid­er­a­tion or by enforc­ing cor­rec­tive actions for per­son­al data processing.

The super­vis­ing author­i­ty can also sus­pend per­son­al data pro­cess­ing. Sanc­tions for data breach are also pos­si­ble in cas­es where the con­troller has had suf­fi­cient encryp­tion or pro­tec­tion of per­son­al data, but this encryp­tion or pro­tec­tion has been unmain­tained, poor­ly main­tained or neglect­ed. More­over, the suf­fer­ing par­ty of the data breach has the right to seek com­pen­sa­tion from the con­troller or the proces­sor. There­fore, it is more than wise to cre­ate a process for the pos­si­ble event of a data breach.

Out­sourc­ing and responsibilities

Near­ly all orga­ni­za­tions use out­sourced ser­vices. Lia­bil­i­ty with regards to exter­nal­ized ser­vice providers and the degree to which respon­si­bil­i­ty can be out­sourced to a ser­vice provider remain unclear for many. It should be made clear that the con­troller is respon­si­ble for the pro­cess­ing of per­son­al data and that respon­si­bil­i­ty can­not be outsourced.

The respon­si­bil­i­ty remains with the orga­ni­za­tion itself. Pos­si­ble com­pen­sa­tion can be agreed upon sep­a­rate­ly. In this con­text, it is vital to have per­son­al data pro­cess­ing respon­si­bil­i­ty and duty claus­es stat­ed on con­tracts made with ser­vice providers.

GDPR sets cer­tain require­ments for the con­tents of this con­tract. If a com­pa­ny has out­sourced its data pro­cess­ing to a third par­ty, it is rec­om­mend­ed to review these con­tracts and val­i­date that they com­ply with the data pro­tec­tion reg­u­la­tion. Such an exter­nal data proces­sor can be, for instance, a com­pa­ny pay­roll ser­vice provider, a cloud ser­vice provider or an out­sourced sales and mar­ket­ing agency.

Accord­ing to the reg­u­la­tion, when out­sourc­ing the pro­cess­ing of per­son­al data, the con­troller (the one who man­dates to or on whose behalf the reg­is­ter is cre­at­ed) and the proces­sor (the one who records, col­lates, uses and/​or retains data) must for­mal­ly agree on at least the fol­low­ing aspects:

  • Sub­ject-mat­ter and dura­tion of processing
  • Nature and pur­pos­es of processing
  • Type of per­son­al data and the cat­e­gories of data subjects
  • Oblig­a­tions and rights of the controller

It is high­ly rec­om­mend­ed to add ref­er­ences that your orga­ni­za­tion will be GDPR com­pli­ant by at least May of 2018 in all future contracts.

“Typ­i­cal­ly, a pub­lic cloud ser­vice provider retains the rights to change their terms of use as they wish includ­ing the right to trans­fer data out­side of the EU/EEA area. So, how should one react to some­thing like this?”

Accord­ing to GDPR, the con­troller and the per­son­al data proces­sor need to know where the per­son­al data is processed and stored. The option to trans­fer data out­side the Euro­pean Eco­nom­ic Area has been dras­ti­cal­ly lim­it­ed in the new reg­u­la­tion. Cloud com­put­ing ser­vices may use servers locat­ed out­side the EU/EEA area. Fur­ther­more, cloud ser­vice providers’ data pro­cess­ing equip­ment may be con­trolled by ser­vice providers that come from out­side the EU area. In this instance, the trans­fer­ring of per­son­al data must take place with­in the data trans­fer­ring frame­works set in the data pro­tec­tion regulation.

As the intro­duc­tion of the new reg­u­la­tion cre­ates new oblig­a­tions for com­pa­nies with added admin­is­tra­tive work, the plan­ning and exe­cu­tion of GDPR com­pli­ance should be start­ed as soon as pos­si­ble. The win­dow giv­en to tran­si­tion to GDRP is a year, mean­ing that the time to become GDPR com­pli­ant is rather short. Now is the time to act. The analy­sis of cur­rent data secu­ri­ty and pro­tec­tion sta­tus by an exter­nal spe­cial­ist is a rec­om­mend­ed first step. We are more than hap­py to help you get ready for GDPR!

Con­tact Information:
Piia Hoff­sten
Chief Oper­at­ing Officer
piia.hoffsten (a) islet​group​.fi
+358 40 5877 303

Buzz­words: #GDPR #dat­apro­tec­tion #cyber­se­cu­ri­ty #datase­cu­ri­ty #pri­va­cy #process­es #data­breach

Like what you read? Share this!