One of biggest and more controversial changes in the EU General Data Protection Regulation (GDPR) is the requirement for companies to report breaches of consumer personal data. Fortunately, we recently had the chance to talk with an expert on GDPR compliance to find out some of the subtler details.
“Likely to Affect”
The first key thing to keep in mind is that there are two different thresholds to apply in a GDPR breach: one for notifying customers, and the other for alerting the Data Protection Authority (DPA).
If the personal data that has been exposed is “likely to affect” a consumer, then they will need to be notified. This is a fairly low bar to reach.
According to the compliance attorney we spoke to, any personal data identifiers – say, email addresses, online account IDs, and possibly IP addresses — could easily pass the likely-to-affect test.
In addition, if the breached personal data contains more monetizable personal data – bank account numbers or other financial identifiers— then you can say the breach is “likely to harm” the individual. In this situation, both the consumer and the DPA will have to be notified.
Breach Response: Not Just IT
The notification sent to the DPA in the likely-to-harm case also must include detailed information about the incident.
Besides describing the nature of the breach, the notification has to mention the types of data, the number of individuals, and the number of records exposed.
The company (or data controller in EU-speak) then needs to describe any likely consequences of the breach as well as any mitigation efforts to be taken.
The notification to the DPA must be made within 72 hours or “a reasoned justification” given in cases where that window can’t be met.
Of course, you’ll need IT to provide the basic information about what types of data and number of records that were involved.
But according to the attorney, a breach or incident response team must be made up of more than IT!
Minimally, the response group should include a chief privacy officer, a legal representative if the CPO is not an attorney, risk management personnel, PR, and financial.
The point is that while IT is crucial for understanding the scope of the attack, a breach impacts so much more than just IT —regulatory, financial, and legal areas—that other experts have to be involved.