The EU General Data Protection Regulation (GDPR) which will apply from May 2018 includes enhanced data security requirements and obligations to notify regulators and individuals of data breaches. A failure to comply with key provisions may lead to a fine of up to €20 million or 4 per cent of global annual turnover in the previous year, whichever is greater. The GDPR applies not only to companies based in the EU, but also to companies that sell goods or services to EU individuals or that monitor individuals in the EU.
The GDPR retains the general obligation to take appropriate technical and organisational measures to protect personal data. This is a flexible standard and the measures you will need to take will depend on a range of factors including the sensitivity of the information processed and the wider technological environment. However, it is not necessarily a low standard. If a security breach occurs, regulators will generally assess your security with the benefit of hindsight.
Added to this general obligation are specific obligations under the GDPR to:
- encrypt or pseudonymise data;
- ensure appropriate resilience and business continuity measures; and
- test security measures, for example through penetration testing.
These obligations only apply 'where appropriate' so are not mandatory in all cases. However, if you have not implemented these measures, you are likely to be pressed hard to explain why not.
The GDPR also introduces a new tiered breach reporting obligation. In summary:
- all personal data breaches should be recorded;
- if the personal data breach is a 'risk' for individuals it must be reported to the relevant data protection authority without undue delay and where feasible within 72 hours; and
- if the personal data breach is a 'high risk' for individuals, those individuals must be notified.
There are already some sector-specific breach reporting requirements (for example, in the telecoms and financial services sector) but for most organisations this is new. In many cases, you will need a new internal reporting process to be set up so that suspected breaches can be investigated, analysed and a report made within the strict new deadline.
The new breach reporting requirements differ in a few key ways to the new notifiable data breach scheme (the NDB Scheme) that will take effect in Australia from 22 February 2018:
- Under the GDPR, all personal data breaches must be recorded by organisations, whereas there is no requirement to record any breaches under the NDB Scheme.
- The threshold for notification to the regulator and individuals is slightly lower under the GDPR. Under the NDB Scheme, a breach must be notified if it is 'likely to result in serious harm' to the relevant individuals as opposed to if it is a 'risk' or 'high risk' to individuals.
- The timeline for notification to the regulator is much shorter under the GDPR, being 72 hours. Under the NDB Scheme, an organisation must assess whether the data breach is notifiable expeditiously and at least within 30 days. Once an organisation determines that the breach is notifiable, they must notify the regulator 'as soon as practicable'.
For more on the new NDB Scheme see our Incoming Notifiable Data Breaches Scheme. The rules in the GDPR will also be supplemented by the Network and Information Systems Directive which also applies from May 2018. This will impose breach reporting obligations on operators of critical infrastructure and some online operators.
Finally, these changes do not just apply to companies established in the EU. The GDPR has extra-territorial effect and applies to some companies who deal with individuals in the EU. In particular, it captures companies based outside the EU that either:
- offer goods or services to EU individuals; or
- monitor individuals in the EU.
The Office of the Australian Information Commissioner has released guidance to help Australian businesses navigate the impact of this extra-territorial component.
For more on the impact of the GDPR on your business, see Linklaters' GDPR Survival Guide.