Since the introduction of the Data Protection Directive (DPD) in 1995, European member states have faced inconsistencies in their personal data protection standards. In the fourth of our series of General Data Protection Regulation (GDPR) blogs we’re discussing changes to data breach notifications and what that means for your business, as standardisation takes hold.
The inconsistent data protection standards that currently exist between member states have been driving the EU’s new legislation alongside a number of other factors.
The current, confusing data breach notification standards highlight the need for uniformity. For instance, if a Switzerland-based business suffers a data breach affecting people in Germany, Italy and Spain, the organisation must comply with the breach notification standards of each individual member state. Awkward, no?
As a regulation, the GDPR resolves this vexing issue by nature. The legislation differs from the DPD which sets out objectives for member states to achieve, rather than laws to abide by, meaning there are no standardised rules for handling data from one country to the next.
However, as of 25th May 2018 (the GDPR compliance deadline) this is all set to change. If, for example a Switzerland-based business suffers a data breach affecting people in Germany, Italy and Spain, the organisation must comply with the GDPR’s ONE set of breach notification standards.
Breach notification requirements differ ever so slightly for data controllers and data processors. But before we get to that, the important first step to accommodating the changes must be ensuring that your entire workforce understands what a personal data breach is. After all, to report something your workforce must be able to recognise it.
So, what is a personal data breach?
A personal data breach is not simply the loss of data, but a breach of security that results in the destruction, loss, alteration, unauthorised disclosure of or access to personal data.
If you are a data controller – you handle data – and you suffer a data breach, the GDPR states that you must tell the relevant supervisory authority without undue delay and within 72 hours of discovering the breach.
If you are a data processor – you store the data – you must inform the data controller of the breach without undue delay as soon as you have become aware of it.
A failure to do any of the above could result in a Tier 2 fine of up to €10m or 2% of your organisation’s global annual turnover, dependent on which is the greater amount. And, let’s be honest, either would be a huge hit to most businesses and very much worth avoiding.
To make sure you are prepared for the compliance deadline – 25th May 2018 in case you missed it earlier – our latest whitepaper, ‘GDPR is Around the Corner: Are You Ready?’ is here to guide you through the key changes to personal data protection laws.
You can read blogs one, two and three in the GDPR series so far, here: