A GDPR Catch 22?
Blog authored by Ian Moyse.
‘With great power comes great responsibility’ and holding someone’s personal data is powerful, the more you know about them the more useful this data becomes. For example, a pure name and favourite colour does not personally and uniquely identify the person or have any intrinsic risk to that individual.
Knowing their name, National Insurance Number, home address, salary etc goes to another level. This can be used to impact the individual, place their identify at risk, expose them to fraud and is probably information they would not want shared in the public domain.
Hence GDPR (General Data Protection regulation) the new stronger European data law comes into enforcement on May 25th 2018, to protect citizens in a world that has massively changed in the last 10-15 years with regard to what data is held on you, how easy it is to be shared and the new technologies such as Web 2.0 (Social Media), cloud, mobile, big data and more that have appeared and become commonplace in our lives.
A One of the key edicts of GDPR (there are many others such as the right to be forgotten, consent and Data accountability) is Mandatory Breach Notifications.
Under Article 33 of GDPR if a data breach of personal data occurs, the data controller (the business who is using the data, not the data processor / cloud provider who must notify the controller if they become aware of any such breach) must notify the relevant supervisory authority within 72 hours of the breach becoming known. It is important to note that NOT all breached by default have to be reported; the defining test factor is ‘It will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms.’
But is this enough, where does the data controller and processor role stand in relation to each other and reporting?
Any GDPR breach notification must include a breach description (number of records, type of data…), likely consequences and how it’s being addressed.
The questions that pose interesting dilemmas include;
- If my data processor informs me as the data controller (eg the cloud provider we use tells our business) that they have had a breach that may affect our account/data – do we have to report a breach to the authorities ourselves or are we safe to rely on the fact that the Data processor is telling us they have reported it? If they have reported should we report it too?
- If the breach has been reported , do we have to inform our customers immediately or do we wait for the outcome from the authorities?
- Should I be requesting that Cloud contracts I sign have provision that the cloud provider has to inform within 72 hours if they think my data has been affected, or is this a given that they have to do this anyway under standard GDPR rulings?
- If a provider (data processor) has a data breach that affects my data (as a Data controller) and they do not inform me for 10 days, am I in breach of non-reporting as I did not know of the issue?
Jim Sneddon, CEO of GDPR Consulting firm Assuredata commented “I think the new Data Breach requirements are a good thing, as they will sharpen the focus on data protection and promote transparency within organisations processing personal data, which will give customers confidence.
Some organisations could see some of the GDPR regulation as something that could be onerous and potentially impact their business, however I point to the Health and Safety in the workplace regulation of 1974.
Since its implementation, fatalities in the workplace have been reduced by 85% and non-fatal injuries have fallen by 58%. This is due to the notion of protecting people becoming ingrained in corporate culture.
I believe the same should be achieved with Personal Data and who would argue if we could achieve results like that?”
There will be grey areas in GDPR for a while to come and certainly in the early stages there will be test cases and adjustments to the Articles to clarify and ratify their use in real world practise.
So, for now the best advice is to get yourselves GDPR compliant, strengthen processes, clean data and review cloud provider agreements and their alignment to GDPR and protecting you in protecting your customers data.
Frank Jennings, Partner, Wallace LLP and known as the ‘Cloud Lawyer’ (Read his Blog here) “The need to protect personal data is not new but GDPR marks a step change, with new investigatory and enforcement powers plus, of course, the notorious higher fines. Customers need to check their cloud providers are ready for the changes under GDPR and ensure the contracts address the issues properly too.“
There is no need for inherent fear from GDPR and the strengthening of data laws, this is a long overdue and good thing for us all as citizens and businesses. The current data laws had fallen behind the technology now in use and this simply re-aligns to address the way we now hold, store and use data.