GDPR – How to Protect Against Breach Notification Requirement?

The General Data Protection Regulation, or GDPR, replaces the Data Protection Directive (“Directive”), which has been in effect since 1995. The GDPR became law in April 2016, but organizations were given a two-year grace period to comply. The effective date for compliance is on May 25, 2018. The GDPR enables all EU nations to have a single set of rules that apply to all organizations that process personal data of EU citizens. The underlying idea is that every EU citizen has a fundamental right to privacy. As we all know, most organizations today collect personal information of their customers, prospects or third parties in order to conduct their businesses more effectively. The data is generally stored in electronic format in a database server or a file server thereby making it easy to find by authorized users as well as by malicious actors. Forrester reports that in 2016, one billion records were compromised in just 12 months. However, in the first half of 2017, 918 data breaches were reported that led to 1.9 billion data records being compromised worldwide. This represents an increase of 164 percent compared to the first six months of 2016. Given the current climate, the GDPR is an attempt to curb this carnage by outlining how organizations are allowed to gather, use, maintain and finally destroy personal data of EU citizens. It requires organizations to implement appropriate technical and organizational measures to prevent the loss of or unauthorized use of personal data. 

GDPR Terminology:

“Data subject” – an individual domiciled in the EU.

“Personal data” – data that relates to a living individual who can be identified – 

(a) from the data, or

(b) from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller

“Controller” – an organization that either transmits, stores, or processes personal information of an EU citizen.

“Processor” – an organization that is involved in processing personal information of an EU citizen. A cloud service provider falls into this category. 

What Constitutes a Data Breach Under GDPR?

Accidental loss of personal data

Loss of personal data due to a breach

Malicious alteration of personal data

Unauthorized access of personal data

Key GDPR Provision Related to a Data Breach Notification:

[[From Article 34 of GDPR]]:

In case of a data breach, appropriate authorities and data subjects must be informed “without undue delay” “when the breach is likely to result in a high risk to the rights and freedoms” of the data subject. However, the communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data involved in the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorized to access it.

Who and When to Inform?

The breach notification rule requires that the supervisory authority must be informed about the breach within 72 hours of becoming aware of a data breach. Moreover, if the security breach is likely to result in disclosure of private information of a data subject, then the data subject must also be notified.

How to Avoid a Public Disclosure of a Personal Data Breach?

The GDPR may not require a public disclosure of a data breach as long as you can prove to the supervisory authority that the stolen data is unreadable by unauthorized users. Obviously the intent is to encourage both the controller and the processor to encrypt personal data in their possession. However, it is important to note that encrypting data alone may not be sufficient if the attacker is able to get to the unencrypted version of the data. Hence, it is important to implement advanced access control mechanisms along with data encryption. Also, the secondary goal is to raise the data security bar high enough so that you are able to convince the supervisory authority that the stolen information cannot be used. 

Server General TDE Can Help

Server General TDE utilizes the AES algorithm to encrypt data and advanced access controls mechanisms to prevent the malicious/compromised “root” user from accessing it. Thus, Server General TDE can assist you with not only complying with the GDPR articles 32 and 34 but may also eliminate the need for publicly disclosing your data breach.

California Privacy Laws

• Applies to all entities doing business with California residents

•  Businesses are mandated to protect “personal information” 

• Two exceptions – encrypted or redacted data

• Any breach or suspected breach of unencrypted data must be reported

• Non-Compliance may result in fines, sanctions & prosecution