Part 3 - The GDPR revolution: Managing breaches

New legislation to shine the spotlight on data breaches

In this article series, The GDPR revolution, RBC Investor & Treasury Services explores how the European Union's (EU) General Data Protection Regulation will affect data subject rights, compliance and control procedures, and managing breaches for financial institutions.

With cybersecurity attacks posing a growing threat to the safety of private information, the General Data Protection Regulation (GDPR) will introduce mandatory notification to compel data controllers and data processors to respond quickly and transparently to breaches. Financial services firms must implement robust procedures to ensure any breaches are swiftly detected, classified and managed effectively to avoid punitive sanctions and mitigate reputational damage.

Immediate reporting is essential

GDPR defines a personal security breach as an incident “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".1 Article 33 of GDPR stipulates that data controllers are to report security breaches to the relevant supervisory authority “without undue delay, and where feasible, not later than 72 hours". The only exception is if the breach would be unlikely to threaten the rights and freedoms of natural persons. All data breaches must be documented.2 The regulation also specifies the role of data processors, which will have to notify the data controllers without undue delay after becoming aware of a personal data breach.

Data controllers must create systems that provide detailed information on the nature of a breach

Data controllers must create systems that provide detailed information on the nature of a breach, including the categories and the approximate number of individuals and personal data records concerned. The data controller must also include contact details of their Data Protection Officer or other appointed contact who can provide more information, a description of the likely consequences of the breach as well as the measures taken or proposed to manage it or mitigate any possible adverse effects.3

Data subjects must be informed after high risk breaches

Key insights

  • All firms offering services to EU citizens, regardless of where they are based, will be required to report data breaches to the relevant supervisory authority
  • In the event the breach threatens the rights and freedoms of the data subjects, they must be informed
  • Fines are steep but regulators will likely be more lenient to firms that can demonstrate they made every effort to comply with the GDPR requirements

Article 34 of GDPR requires that data subjects are informed where the breach “is likely to result in a high risk" to their rights and freedoms.The legislation does not specifically define high risk but instead refers to possible consequences that might arise, including discrimination, identity theft, reputational damage and a loss of confidentiality among other elements.This obligation could mean a potentially significant operational burden for financial institutions that process high volumes of data. It also “significantly increases the danger of widespread reputational harm arising as a consequence of a data breach," according to law firm White & Case.6

Notification, however, is not required if the data controller has implemented appropriate security measures that render personal data unintelligible to any unauthorized person, such as encryption, or if subsequent measures have been taken to mitigate the risk to data subjects' rights and freedoms. In cases where notification would involve disproportionate effort a public communication will suffice.7

Failure to report can mean heavy sanctions

Data breaches have become a growing concern. The European Commission stated that in 2016 ‘there were more than 4,000 ransomware attacks per day and 80% of European companies experienced at least one cybersecurity incident. The economic impact of cyber-crime has risen five-fold over the past four years alone’. In addition, as of June 12, 2017, the Identity Theft Resource Centre had identified 1,222 data security breaches in the United States alone since the start of 2017, which exposed around 172 million records.8 Under GDPR, a failure to comply with mandatory notification requirements could result in fines of up to EUR 20 million or four percent of a company's global turnover. The Payment Card Industry Security Standards Council estimates that British organizations could potentially face fines of more than GBP 120 billion due to cybersecurity breaches in 2018, partly due to GDPR requirements.Supervisory authorities have wide-ranging powers and can issue warnings, reprimands as well as steep fines. They can also impose a “temporary or definitive limitation", including a ban on data processing. However, they will also take into account “any action taken by the controller or processor to mitigate the damage suffered by data subjects," as well as the degree of cooperation with the supervisory power and how swiftly the breach was notified.10

Supervisory authorities have wide-ranging powers and can issue warnings, reprimands as well as steep fines

“The fines are designed to be dissuasive, so they are meant to hurt. But if you demonstrate good processes, that you are trying hard to comply, my guidance from the regulators is that they will be more lenient," said International Data Corporation analyst Duncan Brown.11

While the fines are steep, the long-term costs and consequences of a breach can be significant for data controllers. Uber, for example, is facing legal action from the United States, Britain and Italy after it delayed disclosure of a 2016 security breach involving the personal information of 2.7 million customers.12 In early September 2017, American credit agency Equifax's share price plunged 29 percent in the week after it disclosed a cybersecurity breach that potentially impacted 143 million people in the US.13

Financial institutions should review their policies and procedures and develop response plans that clearly map out key roles and responsibilities

To mitigate these risks and ensure GDPR compliance, financial institutions should review their policies and procedures and develop response plans that clearly map out key roles and responsibilities. Such plans should include emergency measures to contain a breach, escalation to senior management, notification of the supervisory authority and affected data subjects, and a system for full documentation.

GDPR includes several references to encryption and pseudonymization technologies as potential approaches to protect data following any breach. Having both in place from the outset can ameliorate any impact.

Robust systems are critical – there is nowhere to hide

With only 72 hours to report a security breach and stiff penalties for non-disclosure, it is essential that data controllers have already developed, implemented and tested procedures to manage breaches from detection through to resolution in readiness for GDPR.

“Companies should have a well-prepared incident response process. This should not just focus on the technical aspects of a breach but on the public relations, communications strategy, and liaising with the regulators," said Brian Honan, CEO and security expert at BH Consulting.15


You may also like

February 6, 2018

Part I - The GDPR revolution: Data subject rights

February 8, 2018

Part II - The GDPR revolution: Ensuring compliance and control


Sources

  1. Intersoft consulting services AG (October 2017) General Data Protection Regulation. Article 4. Definitions
  2. Intersoft consulting services AG (October 2017) General Data Protection Regulation. Article 33. Notification of a personal data breach to the supervisory authority
  3. Ibid. 4. Intersoft consulting services AG (October 2017) General Data Protection Regulation. Article 34.Communication of a personal data breach to the data subject
  4. Intersoft consulting services AG (October 2017) General Data Protection Regulation. Recital 85. Notification obligation of breaches to the supervisory authority
  5. White & Case (July 22, 2016). Chapter 10: Obligations of Controllers – Unlocking the EU General Data Protection Regulation
  6. Intersoft consulting services AG (October 2017) General Data Protection Regulation. Article 34. Communication of a personal data breach to the data subject
  7. State of the Union 2017 – Cybersecurity: Commission scales up EU’s response to cyber attacks; Identify Theft Resource Center (June 12, 2017) 2017 Data Breach Category Summary
  8. The UK Business Cybersecurity Threat (2016) Payment Card Industry Security Standards Council
  9. Intersoft consulting services AG (October 2017) General Data Protection Regulation. Article 83. General conditions for imposing administrative fines
  10. GDPR & Beyond (September 26, 2017). Proactive breach notification can help lower GDPR fines
  11. Ibid.
  12. Bloomberg (September 14, 2017). Analysts keep saying buy and Equifax keeps plunging
  13. Ibid. GDPR & Beyond
  14. Ibid. GDPR & Beyond