[BreachExchange] What Does the GDPR Consider to be a Data Breach?

[Audrey McNeil]

https://techspective.net/2018/03/23/what-does-the-gdpr-
consider-to-be-a-data-breach/

What does it mean to have a data breach in the context of the General Data
Protection Regulation (GDPR)?

Most of us think of a data breach as the actual loss or exposure of
information to an unauthorized or unintended user. When it comes to the
impending EU regulation, however, it is more accurate to define a data
breach as a violation of the legislation (act or section) that was put in
place to prevent the loss, or unlawful disclosure of data in the first
place.

So, this being the case, it’s prudent to really look at the legislation
that applies to your organization to make sure you don’t commit offenses
and end up putting your organization’s reputation and financial standing at
risk.

Data Breaches in the GDPR

Interestingly, the requirements of “notification’ of a data ‘breach” within
the GDPR vary depending on the type and severity of the breach. So, I took
a little look into what the regulations actually prescribe:

Article 31 of the GDPR mandates that, in the case of a data breach data
officers shall, without undue delay (not later than 72 hours after having
become aware of it), notify the supervisory authority of the incident
unless the personal data breach is “unlikely to result in a risk for the
rights and freedoms of individuals.”

It seems to me that this is a little subjective. What might appear to be a
risk to the rights and freedoms of individuals by one, may differ from
another. So, it appears that the default position is:

“If there is any doubt, there is no doubt, report it.”

This ensures that the Information Commissioner’s Office (ICO) is informed
and provides some peace of mind to most organizations that they at least
will not be penalized for a double breach. That is, being the initial
unlawful disclosure of data, preceded by the compounding offence of failing
to comply with the notification requirements of the act.

It seems reasonable to presume that a breach that discloses an individual’s
health or financial information may be likely to have a significantly
higher risk to the rights and freedoms of a data subject than a breach that
leads to disclosure of customer names with no further information about the
individuals. It is also fair to say, data breaches happen all the time,
whether it be a disgruntled employee copying an entire database of
customers, or a corrupt civil servant accessing sensitive personal data on
an unsecured file server for personal gain.

I believe that these possibilities have been accepted by the legislators,
and the GDPR has now been introduced to enforce a structure to
organizations that were simply negligent around the handling of sensitive
personal data. This new legislation focuses attention to data handling
processes and indicates that evidence of proper data handling and response
procedures will be taken into consideration by the ICO when determining
sanctions.

What Should You Do in the Event of a Data Breach for GDPR?

You need to make sure you can answer the following questions:

1. Can you prove that the personal data was encrypted at the time of the
breach?
2. Following a breach, can you ensure the ongoing confidentiality,
integrity, availability and resilience of processing systems and services?
3. Are you able to restore the availability and access to personal data in
a timely manner in the event of a physical or technical incident?

Finally, and crucially, you should always know the answer to this question:
Is there a process in place for regularly testing, assessing and evaluating
the effectiveness of technical and organizational measures for ensuring the
security of the processing of data?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180326/a8f045b6/attachment.html>