In this third blog of our series, we are going to examine a specific aspect of GDPR that is considerably more stringent than anything found in previous European data protection legislation – GDPR notification requirements.
GDPR Data Breach Notification
GDPR requires notification of a breach by the controller to the relevant supervisory authority without undue delay, and with a written explanation for the reasons behind any response later than 72 hours after discovery by the controller. Even though properly documented reports can be filed after the 72 hour mark, Data Protection Authorities (DPA) will expect these to be the exception, not the rule. While the GDPR does not specify a format for the notification, it does lay out the information that must be included. Failure to notify correctly and without undue delay, even if you are otherwise compliant, lays you open to a fine of 2% of your global turnover.
It also requires that, if the breach places its data subject at high risk, the controller must notify that data subject without undue delay. The GDPR notice requirements specify measures that the controller can take to remove the need to notify the data subject.
GDPR Personal Data Definition
First, let's take a step back. How does GDPR define sensitive personal data and a personal data breach? Article 4 (the Article which contains definitions of terms) defines 'personal data' as any information relating to an identified or identifiable person ('data subject').
A 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
That could mean anything from a full scale hostile incursion into your network to accidentally leaving a print out of an email on a train or other staff error.
The next aspect of this is detection. How do you detect a data breach? At the simplest level, if your staff realise that they've exposed sensitive personal data through an error, that could be a breach detection. At the other end of the scale, security monitoring systems should flag up personal data breaches. That could also be a breach detection.
To do this successfully involves having the right sort of controls in place, an essential requirement of GDPR, that give you the capacity to detect and respond to security events. An even worse scenario is that you fail to detect the breach thanks to a lack of controls but a third party does discover it and goes public with it. This could lead to a maximum fine of 2% of global annual turnover or €10 million, whichever is greater.
Data Breach Response
GDPR data breach notification requires effective procedures be followed in the event of a breach. What makes procedures effective?
A major part of this is proper preparation and planning.
These qualities should be embodied in your Cyber Incident Response Plan (CIRP). Your CIRP is the documented evidence of your organisation's due diligence in preparing for such an event.
A good CIRP will cover your various sources of detection, many of which are not IT devices. In fact a CIRP should be able to address a lost filing cabinet full of personnel records as well as a digital network intrusion.
It will start by understanding your organisational risks, and the resultant requirements to mitigate those risks. Indeed, statutory and contractual reporting obligations are just the tip of the iceberg. A strong CIRP also covers topics such as crisis decision making, media relations, business impact mitigation, cyber insurance integration, allocation of roles and how to organise ad hoc in time of crisis, just to name a few.
Europe has already had many data breaches that ended up being more than mere IT data breaches. Very public incidents such as the TalkTalk breach and its aftermath should motivate any organisation to take this risk seriously. If this is not already being discussed by your Board of Directors, it will be. Publicly traded companies in the EU are already listing this risk in their annual reports to shareholders.
A sound CIRP will also address other prevalent cyber risks such as ransomware. The investment required to create this resource can provide value to the organisation for years, as long as it's tested and updated regularly.
Underlying this preparation is another important factor - avoiding falling into the error that I've written about before of thinking that installing the latest bit of technology will do the trick by itself. Even if your protection technologies are installed across the network and detect 95% of commodity attacks, even if your monitoring capability can pick up all abnormal behaviour on the network, that still won't be enough when it comes to GDPR, or indeed to good cyber hygiene. People and process are just as important.
Why is that? Well, let's think about this “72 hour” rule. Actually, the GDPR breach notification requirement underscores the importance of having good security awareness throughout the organisation and the right breach monitoring, detection and reporting processes defined in-house and documented in your CIRP.
But if you don't have defined responsibilities and processes for ensuring that personal data breaches are detected, contained and reported to your Data Protection Officer (a role required by GDPR), then it will be a challenge to file a report within 72 hours. That's especially the case in large, diverse organisations across multiple territories and time zones or in organisations functioning without 24/7 continuous monitoring. While reporting after 72 hours is permitted when the reasons for the delay are well documented, missing the 72 hour window will, at a minimum, lead to closer scrutiny from the DPA.
The preceding blog I referred to earlier covers the steps you need to take to put these processes in place, but I'd like to take a look at one of them in a little more detail – know your data. Mapping out what sensitive personal data you hold and where it resides within your perimeter is a good first step but on top of that you must be able to map out data held outside the perimeter too, for example in cloud storage. That allows you to require third parties (processors in GDPR terminology) such as cloud hosting services to sign contracts to report any breaches they experience to you (the controller) within a relatively short period of time, allowing you to enact your response plans as soon as possible.
There's a further step to take too – testing. A rigorous testing regime covering technical controls, policy, people and process and tested against real word scenarios is vital. The moment a breach is discovered is not when you want to find out that processes for containment, recovery, neutralisation and reporting don't work as expected.
That's a lot to do in a short period of time. How do you get those defined responsibilities and processes in place, fully tested and ready to use by 25th May 2018 when GDPR becomes mandatory?
To be honest, if you aren't already practicing good security hygiene, it's not easy for a company to do all of this internally and unaided by the deadline.
How a Cybersecurity Partnership Can Help
There are many ways in which working with a trusted cybersecurity partner like SecureWorks can make this much less challenging, reducing complexity, time and cost and adding considerable value. The sort of services you should consider includes:
- Security monitoring – of the full client estate (including cloud) and key systems that fall in scope of GDPR compliance, as identified during an initial data mapping
- Vulnerability management and configuration management
- Advanced threat services to prevent breaches or improve detection and response
- Incident Response Retainer – experts that work in this ever-changing cyber threat environment, available at a moment's notice.
- And most importantly for complying with the notification requirements, assistance in drafting a Cyber Incident Response Plan (CIRP) which provides the information and processes necessary to meet GDPR notification requirements.