data protection officer GDPR data breach notification

GDPR Data Breach Notification WP29 Guidelines

GDPR data breach notification obligation requires the adoption of appropriate technical and organisational measures in order to ensure the safeguarding of personal data during processing. Since the assessment of the risk degree is not always unequivocal, the Article 29 Data Protection Working Party (WP29) has recently adopted GDPR data breach Guidelines.

data protection officer GDPR data breach notification

When unauthorised or unlawful processing and accidental loss, destruction or damage of personal data occurs, personal data controllers may be under an obligation to notify the supervisory authority and data subjects after an appropriate risk assessment. GDPR data breach Guidelines assist the controllers and the processors to comply with their obligations under Articles 33 and 34 of the GDPR on a potential security breach of personal data.

Data processor’s obligation

Although the responsibility of the personal data protection belongs to the controller, the data processor must ensure the compliance of the former with the notification requirements. Hence, if a processor becomes aware of a breach of personal data that it has been processing on the controller’s behalf, it is bound to notify the controller ‘without undue delay’.

Notification of the personal data breach to supervisory authority

In the event of a security breach likely to result in a risk to the rights and freedoms of individuals, the data controller is obliged to notify the leading supervisory authority in order to receive guidance.

The time frame for notification is no later than 72 hours from the time the controller obtained a reasonable degree of certainty that a breach compromising personal data has taken place. If the controller does not possess all relevant information, it may proceed with notification in phases parallel to its investigation.

Nonetheless, when the breach is unlikely to result in risks to the rights and freedoms of natural persons, the controller is not under an obligation to notify. For instance, if an encrypted CD containing a back up of an archive with personal data is stolen, the notification requirement is unlikely to apply.

Communication of the personal data breach to data subjects

The assessment of risk is decisive for the requirement of communication to the data subjects. If the breach is likely to lead to high risk to the rights and freedoms of individuals, such as discrimination, financial damage, identity theft, fraud and humiliation, the notification of the relevant individuals must be triggered. The severity of the potential impact should be estimated on a case by case basis taking into consideration the type of breach, the nature, sensitivity and volume of personal data, the ease of identification of individuals and the special characteristics of the individual and the data controller.

The communication should be characterised by clarity and transparency through dedicated messages best circulated via several contact channels e.g. email, advertisement in printed media, communication by post, or prominent website banners.

Failure to notify data subject or supervisory authority

If controllers do not comply with their obligations to notify either the supervisory authority or data subjects or both of a data breach, corrective measures including appropriate administrative fines may apply. The supervisory authority is entitled to impose administrative fine up to 10,000,000 EUR or up to 2 % of the total worldwide annual turnover of an undertaking pursuant to Article 83(4)(a) of the GDPR.

Suggested response plan

What to do next? With the help of your Data Protection Officer, a response plan comprising the following areas should be prepared:

  • A person or group of persons should be responsible for receiving all information about security incidents in order to later establish potential breach and assess the risk.
  • Risk assessment regarding the rights and freedoms of individuals should take place and according to the findings of likelihood of no risk, risk or high risk, it should be communicated to the appropriate sections of the organisation.
  • If the likelihood of risk is established, the controller must notify the supervisory authority and, if the risk is high, communicate the breach to the individuals involved.
  • Simultaneously, the controller should take the relevant measures to restrict and recover the breach.

Do you require assistance preparing for GDPR and manage your data protection obligations after it becomes applicable? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.

felicia yap iDiary GDPR privacy

Felicia Yap on iDiaries and our online memory delusions

In Felicia Yap’s speculative world of ‘Yesterday’ , people’s short-term memories are finite – so everyone records their daily experiences on electronic diaries. The Guardian’s Rising Star for Fiction 2017 chats to Aphaia Blog about our online memory delusions.

felicia yap iDiary GDPR privacy

The EU law, including General Data Protection Regulation ( GDPR ) , grants individuals the ‘Right to be Forgotten’ , enabling them to request erasure of personal data stored about them online. But what if all our memories were stored on our electronic platforms (such as Facebook and Instagram profiles) – or, as it is in ‘Yesterday’, on an iDiary? How would that affect our perception of reality – and our privacy?

According to Felicia Yap, the iDiary acts as a technological metaphor for the all-too-human desire to remember. But this metaphor also questions whether the information that we have on our electronic devices or on online digital platforms, is real – or is it really what we choose to believe about our pasts? She says she wanted to explore our capacity for self-delusion, the lies we choose to tell ourselves. iDiary is therefore “a technological metaphor for what we choose to remember and how we do it.”

We note that, just like in our world, in ‘Yesterday’, iDiary privacy is protected by privacy law in a similar way as our offline and online personal data under the Data Protection Act 1998 and now GDPR. A brilliant fiction writer, Felicia Yap has created parallels with aspects of our ICT-dominated world – including data protection law.

Aphaia team wishes Felicia Yap many more bestsellers whilst we continue to help businesses adapt to GDPR and act as their Data Protection Officers.

GDPR after Brexit Vasiliki Antoniadou

GDPR after Brexit

Our blog editor Vasiliki Antoniadou explores the exchange of position papers between the UK and the European Commission regarding the data protection and GDPR after Brexit .

GDPR after Brexit

As the time for the withdrawal of the United Kingdom from the European Union approaches, the necessary and time consuming negotiation processes in the legislative field commence. Considering that the GDPR will come to force in May 2018 and the transition period for Brexit ends in 2019, the UK is bound to implement the GDPR, something not disputed by either side. The question is what will happen post Brexit in relation to the transfers of data between the UK and the EU countries?

As mentioned in our previous article, the UK national law will be aligned with the GDPR through the amendments of the Data Protection Act introduced to the House of Lords last week. However, it is crucial that an agreement is reached in order to ensure the free flow of personal data from the UK to the EU.

The UK position on GDPR after Brexit

In late August, the UK government published a position paper outlining the government’s preferred approach on the exchange and protection of the personal data post Brexit, which concludes with the following points:

  • The UK is seeking a finding of adequacy by the EU regarding its amended national law, which is going to implement the GDPR requirements.
  • The withdrawing party intends to follow the adequacy decisions of the EU with respect to the data protection laws of the countries outside the EU.
  • With a view to regulatory cooperation, the UK is willing to discuss a model including the future involvement of the Information Commissioner’s Office (ICO) in EU regulatory developments.

The EU position on data protection after Brexit

The European Commission replied to the initiative of the UK government by releasing its position paper of September 7th, 2017. The paper refers to data of EU citizens received or processed by the UK or by UK entities prior to the withdrawal date and suggests that the GDPR provisions should continue to apply even after the withdrawal. Moreover, the EU body confirms that after Brexit the EU law will be implemented for data subjects in the UK processed prior to Brexit by the Union institutions.

Further thoughts on GDPR after Brexit

It is obvious that the position of the Commission remained rather general, since it is already known that the amended Data Protection Bill satisfies the requested EU standards even after the withdrawal. Notably, it didn’t cope at this stage with the main UK suggestions as to the adequacy model and the ongoing role of the ICO in the EU regulatory dialogue.

Do you require assistance adapting your company to GDPR plus cope with Brexit? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.

data protection officer GDPR to do list

GDPR to do list this autumn

GDPR starts to apply less than a year from now – which seems like a reason enough to panic for many data-driven organisations who have so far not addressed the transition to GDPR. But instead of panicking, it may be better to have a look at our autumn GDPR to do list.

data protection officer GDPR to do list

1. Map your personal data

Personal data mapping may sound like a basic thing for any data protection compliance exercise but the truth is it gets way more serious with GDPR. The requirements such as privacy by default and by design, stricter consent rules, enhanced data security obligations, or data protection impact assessment all require a very clear overview of personal information under the company’s control. Whereas assistance of a privacy professional may be required for a full mapping exercise, a basic overview could easily be made in-house by involving all the relevant departments such as marketing, sales, HR, legal, and IT.

2. Identify any key risks

In many cases, you do not need to be a trained privacy professional to spot a major data privacy-related risk. For example, a system whereby any employee can access personal data and where no measures such as pseudonymisation or encryption are used is unlikely to comply with the GDPR. Other risks may be more subtle and would be best identified and assessed by a privacy professional. For example, using IoT devices might reveal aspects of individuals’ lives not foreseen by the solution provider. Why not start with a homemade list to get an initial idea and then consult a professional?

3. Plan your GDPR compliance journey

Will you simply require one-off assistance or are you in the category of organisations that are required under the GDPR to appoint a Data Protection Officer? With regard to both, you may have to decide whether you plan to tackle data protection issues in-house or seek external expert assistance.

Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.