What are the laws on data protection?
Current data protection laws are based on the 1995 Data Protection Directive (DPD). In 1995, the European Union recognised the need for one set of laws that could apply to all member states. The DPD protects the personal privacy of individuals in European by controlling how their personal data is collected, processed and used.
How organisations collect and store data has certainly changed since 1995. In 1995, only .04% of the world's population had access to the Internet with almost half of these individuals living in the US and all Internet access being provided by dial-up connections. Today, nearly 51% of the world's population has access to the Internet and 50% of Internet connections are provided through smartphones.
Clearly, these rapid advancements cause the DPD to be outdated and leave individuals vulnerable to risk.
How does the GDPR change these laws?
The General Data Protection Directive (GDPR) will replace the outdated DPD. It provides anyone in the EU with greater control of how their personal data is used.Over 67% of people living in the European Union are worried about the safety/control of their personal data. The GDPR addresses this by providing individuals with “data rights”, such as requiring organisations to obtain consent, and establishing specific protocols for protecting personal data.
What is a breach of data protection?
The new GDPR laws define a breach of data protection as:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised. disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4(12)).
In other words, a data breach occurs when data is unintentionally or intentionally/illegally destroyed, misplaced, changed, or accessed by an unauthorised individual. Data breaches can include data being accessed by an unauthorised individual, sent to the wrong individual, or being altered without permission. It can also include the loss of physical data storage devices such as computers or hard-drives (ICO, 2018).
Data breaches can have disastrous impacts on organisations’ reputations and individuals' privacy. Unfortunately, data breaches are becoming more common with 5,207 data breaches occurring in 2017, a 20% increase from 2015.
2018 has already witnessed a significant data breach: the Facebook Cambridge Analytica scandal. In April 2018, it was revealed that Cambridge Analytica had obtained information from 87 million Facebook users via an online quiz “This is Your Digital Life”. Unbeknown to these Facebook users, Cambridge Analytical had then used this information to target political, pro-Trump, consumers and influence the 2016 US Presidential Election.
These recent data breaches only further confirm the urgency for up-to-date data protection laws that better protect online consumers.
How to protect your company from a data breach
The GDPR establishes specific requirements for protecting personal data. These requirements apply to any organisation that collects or processes data about anyone in the EU. Under these new rules, organisations must use “data protection by design” and “data protection by default” principles. Appropriate data protection techniques include pseudonymisation, such as encryption, which renders data unintelligible if illegally obtained. Data protection protocols should be frequently accessed and where applicable overseen by an appropriately qualified individual or DPO (data protection officer).
In addition to GDPR requirements, it's also important to encourage employees to take proactive measures to prevent data breaches as it can be relatively easy to leak confidential information. Employees should be aware of vulnerabilities when downloading third-party apps, sending unsecured emails, or taking data outside the office (for example, taking a work laptop home). More practical tips for preventing accidental data breaches can be found in our Protect personal data throughout the business day infographic.
What to do if you suspect a breach?
Despite your best efforts and compliance with GDPR requirements, it is impossible to completely protect against data breaches. When you suspect a breach, it's important to assess the impact to determine if the breach must be reported to the relevant supervisory authority (for example, the ICO in the UK) or data subjects.
If individuals' rights or freedoms are likely to be negatively impacted by the data breach, you must notify both the supervisory authority and individuals. The supervisory authority must be notified within 72 hours of becoming aware of the breach. The data breach doesn't need to be reported if the breach is assessed to have little impact, but records must be kept to justify this decision.
Under the new GDPR laws, data breach reports must include the following information:
- Overview of the situation including type and number of impacted individuals and data records
- The contact information of an appropriate staff member or your company's DPO if one has been appointed
- Explanation about the expected impacts
- Explanation of your organisations methods of prevention and efforts to address the breach such as attempts to decrease the impact.
This report must be filed by the data controller within 72 hours of becoming aware. Failure to properly report data breaches could result in significant penalties up to 10 million Euros or 2% of international revenue, while other breaches could incur a fine of up to 20 million Euros or 4% of international revenue. Data breaches can severely damage your company's reputation leading to decreased profits and customers. Ultimately, a data breach could even lead to bankruptcy.
With such drastic impacts, it's essential to protect against data breaches, to the greatest possible degree, with robust breach processes. These processes ensure that your company complies with GDPR requirements and helps you detect and report a breach within the required timeframe.
More information about the GDPR, including GDPR compliance and in-depth insight, can be found by visiting our GDPR page.