Data breaches often trigger administrative investigations as well as attention by the media, making data security to one of the major pitfalls for companies when it comes to GDPR compliance. We will explain strategic approaches to risk mitigation in data security in this article. Another aspect is that companies must report data breaches, what we will also briefly address.
In July 2019, the British Information Commissioner's Office (ICO) decided on two milestone cases for enforcement of the EU General Data Protection Regulation (GDPR). British Airways suffered from a hacker attack that revealed address and credit card data of 380,000 customers and got fined 183 mio. British Pound for non-compliance with GDPR standards for data security.
Around the same time, the Mariott Hotel received the a 100 mio. British pounds bill for not filling a security gap that led to unauthorized disclosure of information on about 30 million EU customers. Mastercard’s loyalty program is likely to follow, facing a massive data leak that was reported lately. But also small and medium-sized companies have been affected by security incidents and got fined: In Germany alone, the amounts range from 20,000 to 80,000 Euro.
Probably even worse than fines is the reputational damage. Data breaches get increasing media coverage in Europe, leading to a massive weakening of customer confidence. Let's frame it as a question: Would you opt-in for customer profiling by a brand that just was on the news all over for storing unencrypted credit card data?
How is data security a legal requirement?
The GDPR sets out requirements for data security. Instead of stipulating specific measures, it merely defines a risk-appropriate data security level as a target to be determined in the individual case, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of data processing as well as the risk of varying likelihood and severity of security incidents.
The GDPR outlines a couple of goals for data security:
- Pseudonymization and encryption of the data
- Confidentiality, integrity, and resilience of IT systems and services
- Availability of data and ability to timely restore data after an incident
- Regular evaluation and update of technical and organizational measures for data security
Executives like CTOs often find this regulatory approach unsatisfactorily blurry, particularly considering that non-compliance may be sanctioned with fines of up to 10 mio. EUR or 2% of the annual turnover, whichever is higher. It may seem that whether the company is compliant with data security standards can clearly be answered in a negative way only – the moment you receive the penalty notice. To prevent companies from that risk, the GDPR particularly recognizes certain audits to be taken into account when demonstrating data security compliance.
What can we do to meet those requirements?
Prospectively: European Data Protection Seal
Under the GDPR, it is possible to apply for certain official data protection seals and marks, which will cover aspects of technical data security and have positive legal effects for the certified companies, for example in demonstrating data security compliance and as a factor for determining the amount of fines.
Current status: In the process of certifying the certification bodies. So, help is on the way to allow better risk-handling for companies. However, it will probably still take some time until a market for certifications has been established that is also accessible for international and non-EU companies.
Currently: Industry recognized audits
For the moment, the best way to mitigate risks is to implement an effective data security management and to apply for market standard IT security seals such as ISO/IEC 27001 and 27002. ISO has recently issued an extension (ISO/IEC 27701) to also cover organizational aspects of data protection management. Independent audits and certifications are a good way to document compliance twofold: internally, as documentation of compliance is an obligation under the GDPR itself; and externally, as a sales argument for the privacy-sensitive market in the European Union.
External audits are a matter of costs and always also stress internal resources. However, since ISO standards reflect GDPR’s security targets, companies will benefit in the long-term from having less efforts to adapt to officially recognized data protection seals once they have been introduced.
Another way to improve compliance is to carry out a data protection impact assessment (Art. 35 GDPR), which is sometimes mandatory but, in any case, can be done voluntarily. It may help to identify threats in the specific context of the processing and to find appropriate measures mitigating the risks. However, it may not replace audits, as it refers only to specific activities rather than overall data security. On the other hand, it is broader as it does not only cover technical and organizational aspects, but also other aspects of GDPR compliance with regard to certain processing operations.
How should we manage security incidents and data breaches?
Under the GDPR, data controllers must report data breaches to the competent supervisory authorities usually within 72 hours and, under further conditions, to the customers concerned. A “breach” not only means unauthorized intrusion by external attackers, but also includes accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data, e.g.:
- Hackers get access to databases containing user information and alters the data
- An employee of HR abuses personal information on his colleagues for private purposes
- An employee accidentally loses a data carrier or laptop with access to customer data
Companies should have processes in place that ensure timely draft, review and delivery of such notifications. For more detailed information on conditions for and content of personal data breach notifications, you can consult the respective guidelines issued by the European Data Protection Board, an official EU body for privacy matters.
The aftermath: choosing the right strategy
If your company becomes aware of serious data breaches, you should get ready for immediate crisis management: mandatory reporting to supervisory authorities, wordings for public relations, notification of legal advisors to deal with investigations and, potentially, individual claims for damages.
When it comes to choosing the right strategy on how to deal with data protection supervision after reporting of the data breach, many factors should be considered:
- The willingness to cooperate must be taken into account by supervisory authorities when deciding on whether a fine is issued and in determining the amount of fines.
- Companies are required by law to cooperate with the authorities (Art. 31 GDPR), although the extent of this obligation may be limited by the company's rights against self-incrimination.
- A cooperative approach helps with crisis communication and restoring customer confidence.
- As the examples that we listed in the introduction show, close cooperation will not always prevent authorities from issuing high fines, but may instead contribute to revelation of further security gaps.
To sum it up: there is no one-size-fits-all strategy for handling data breaches and security incidents. Companies should find their individual strategy depending on the severity of the breach, the stability of ties with the customers and the resources to abide long-term legal disputes.