Compliance is prime as Data Breach becomes a rampant issue
January 16, 2018
What happened in India and affects over one billion people is baffling;
For a mere $8 or $13, reporters got access to personal information of people in the government’s database using the 12-digit unique identification numbers. The criminal who gave access to the info offered to print out unique identification cards, called Aadhaar, these cards prove the citizens identity and can be used to access various government services including fuel subsidies and free school meals, it also is a way to prevent fraud — corrupt officials often add fake names in welfare databases and steal money meant for the poor. People will not have access to healthcare or food without the card. It took only ONE disgruntled worker to put one billion people’s life at risk.
What defines a Data breach?
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. If we take the ambitious purpose of the new regulation into consideration, it is necessary to include a wider range of data that are not easy to define: video/voice, pictures, and e-mail messages.
The new regulation’s explanatory memorandum goes further and includes that it should be ascertained whether data controllers and data processors have taken all appropriate technological protection and organizational measures. In addition, data owners or controllers must inform the individuals of a data breach without undue delay.
What is considered Personal Data?
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; a natural person means everyone, from newborn on.
Who, when and to whom?
The new regulation imposes an imperative and immediate notification to the supervisory authorities within 24 hours of a controller discovering a high risk breach. Your DPO (Data Protection Officer) is the person who needs to notify. Your DPO is responsible for monitoring compliance with the GDPR (General Data Protection Regulation), with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits. The DPO must be available 24/7, its contact details must be communicated to the supervisory authority. This said, in case of a security breach, the controller is best placed to assess the risks and their consequences because he will be responsible for any damages, including to brand reputation.
Take a Risk-Based Approach
Recital 74 of the GDPR states unambiguously that measures of controllers should take into account the risk to the rights and freedoms of natural persons. Categories are “risk” and “high risk” requiring organizations to assess the “likelihood and severity of risk” of their personal data processing operations to the fundamental rights and freedoms of individuals. The table below is a snapshot of activities and associated risks. Recital 75 is worth reading thoroughly.
No doubt that enterprises need to set action plans in motion. What happened in India could happen anywhere else. Can you fathom the repercussions for the people? Now, imagine if it happened at your company.
Could this data breach been avoided?
Yes, with proper procedures and policies for revoking rights and passwords.
Consider an audit of your situation, an audit program comprises:
What personal data is collected (customers, employees, service providers, etc.), where and who does it come from, how does your organization obtain it, and why are you receiving it.
Determine if your current infrastructure is up to compliance; how do you store the data, where, for how long and for what purpose. Do you get additional data from internal and external sources to the data you receive, who does it and why? Is any of this additional data inferred through profiling or similar means?
Determine the risk for the data subjects; can the breach result in a risk to the rights and freedoms of the data subject. If yes, notify the breach to the supervisory authority within 24 hours of the accident (high risk), and to the data subjects, if required, and inform them about the measures they can take to mitigate the damage. Document the data breach including facts and consequences in the data processing records. Adopt corrective measures.
Don’t forget to:
- Spend some time to train employees
- Plan and prepare
- Get advice
1 Washington Post, January 4, 2018. (https://www.washingtonpost.com/news/worldviews/wp/2018/01/04/a-security- breach-in-india-has-left-a-billion-people-at-risk-of-identity)
Other sources: www.informationpolicycentre.com, www.eugdpr.org/eugdpr.org.html